* Fri Sep 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.18-36.sme

- fix spec file [SME: 13172] - fix 05IgnoreIP fragment [SME: 12453] - whitelist wan ip [SME: 12199] - create Fail2ban chain if missing on reloading firewall [SME: 10786] - update qpsmtpd logs path - fix createlinks
2025-09-26 10:20:56 -04:00
parent b596eafc6c
commit 21e6e9a0dd
8 changed files with 46 additions and 22 deletions
--- a/root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
+++ b/root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
@@ -6,7 +6,10 @@ use Net::IPv4Addr;
 my $n = esmith::NetworksDB->open_ro() ||
  die "Couldn't open networks DB\n";

-my @ip = ("127.0.0.0/8", $LocalIP);
+# do not block localhost and LAN
+my @ip = ("127.0.0.0/8", "$LocalIP/32");
+# if ExternalIP exist do not block WAN
+push @ip, "$ExternalIP/32" if $ExternalIP;

 # Add hosts which can access the server-manager to the whitelist
 unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){
@@ -28,6 +31,7 @@ unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
 # Add a local whitelist
 foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
    my $addr = $_;
+    next unless (length $addr);
    $addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
    my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
    push @ip, "$ip/$bits";
--- a/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd
+++ b/root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd
@@ -7,6 +7,8 @@ my @ports = ();
 push @ports, ($qpsmtpd{'TCPPort'} || '25');
 push @ports, ($sqpsmtpd{'TCPPort'} || '465')
  if (($sqpsmtpd{'status'} || 'disabled') eq 'enabled');
+push @ports, ($uqpsmtpd{'TCPPort'} || '587')
+  if ((usqpsmtpd{'status'} || 'disabled') eq 'enabled');
 my $port = join (",", @ports);

 my $max = $maxretry*3;
@@ -16,7 +18,7 @@ $OUT .=<<"EOF";
 [qpsmtpd]
 enabled  = true
 filter   = qpsmtpd
-logpath  = /var/log/*qpsmtpd/current
+logpath  = /var/log/*qpsmtpd/*qpsmtpd.log
 maxretry = $max
 action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
 EOF
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban
@@ -1,6 +1,21 @@
 {
    my $f2bdb = esmith::ConfigDB->open_ro('fail2ban') ||
        esmith::ConfigDB->create('fail2ban');
+
+   # to allow reload  without locking  just after initial install or if chain has been deleted
+   $OUT .=<<'EOF';
+   iptables -n --list Fail2Ban >/dev/null 2>&1
+   test=$?
+   if [[ $test -eq 1 ]] ; then
+   # A blacklist chain for xtables-addons Fail2Ban
+    /sbin/iptables --new-chain Fail2Ban
+    /sbin/iptables --new-chain Fail2Ban_1
+    /sbin/iptables --append Fail2Ban -j Fail2Ban_1
+    /sbin/iptables --insert INPUT 1 \
+       -j Fail2Ban
+   fi
+EOF
+
    # Find the current Fail2Ban_$$ chain, and create a new one.
    $OUT .=<<'EOF';
    OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find)