* Fri Sep 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.18-36.sme
- fix spec file [SME: 13172] - fix 05IgnoreIP fragment [SME: 12453] - whitelist wan ip [SME: 12199] - create Fail2ban chain if missing on reloading firewall [SME: 10786] - update qpsmtpd logs path - fix createlinks
This commit is contained in:
		| @@ -6,7 +6,10 @@ use Net::IPv4Addr; | ||||
| my $n = esmith::NetworksDB->open_ro() || | ||||
|   die "Couldn't open networks DB\n"; | ||||
|  | ||||
| my @ip = ("127.0.0.0/8", $LocalIP); | ||||
| # do not block localhost and LAN | ||||
| my @ip = ("127.0.0.0/8", "$LocalIP/32"); | ||||
| # if ExternalIP exist do not block WAN | ||||
| push @ip, "$ExternalIP/32" if $ExternalIP; | ||||
|  | ||||
| # Add hosts which can access the server-manager to the whitelist | ||||
| unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){ | ||||
| @@ -28,6 +31,7 @@ unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){ | ||||
| # Add a local whitelist | ||||
| foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){ | ||||
|     my $addr = $_; | ||||
|     next unless (length $addr); | ||||
|     $addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/); | ||||
|     my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr"); | ||||
|     push @ip, "$ip/$bits"; | ||||
|   | ||||
| @@ -7,6 +7,8 @@ my @ports = (); | ||||
| push @ports, ($qpsmtpd{'TCPPort'} || '25'); | ||||
| push @ports, ($sqpsmtpd{'TCPPort'} || '465') | ||||
|   if (($sqpsmtpd{'status'} || 'disabled') eq 'enabled'); | ||||
| push @ports, ($uqpsmtpd{'TCPPort'} || '587') | ||||
|   if ((usqpsmtpd{'status'} || 'disabled') eq 'enabled'); | ||||
| my $port = join (",", @ports); | ||||
|  | ||||
| my $max = $maxretry*3; | ||||
| @@ -16,7 +18,7 @@ $OUT .=<<"EOF"; | ||||
| [qpsmtpd] | ||||
| enabled  = true | ||||
| filter   = qpsmtpd | ||||
| logpath  = /var/log/*qpsmtpd/current | ||||
| logpath  = /var/log/*qpsmtpd/*qpsmtpd.log | ||||
| maxretry = $max | ||||
| action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime] | ||||
| EOF | ||||
|   | ||||
| @@ -1,6 +1,21 @@ | ||||
| { | ||||
|     my $f2bdb = esmith::ConfigDB->open_ro('fail2ban') || | ||||
|         esmith::ConfigDB->create('fail2ban'); | ||||
|  | ||||
|    # to allow reload  without locking  just after initial install or if chain has been deleted | ||||
|    $OUT .=<<'EOF'; | ||||
|    iptables -n --list Fail2Ban >/dev/null 2>&1 | ||||
|    test=$? | ||||
|    if [[ $test -eq 1 ]] ; then | ||||
|    # A blacklist chain for xtables-addons Fail2Ban | ||||
|     /sbin/iptables --new-chain Fail2Ban | ||||
|     /sbin/iptables --new-chain Fail2Ban_1 | ||||
|     /sbin/iptables --append Fail2Ban -j Fail2Ban_1 | ||||
|     /sbin/iptables --insert INPUT 1 \ | ||||
|        -j Fail2Ban | ||||
|    fi | ||||
| EOF | ||||
|  | ||||
|     # Find the current Fail2Ban_$$ chain, and create a new one. | ||||
|     $OUT .=<<'EOF'; | ||||
|     OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user