Fail2ban : ignore IP from network

pnemenz 2018-05-11 06:04:05 UTC #1

when trying to whitelist a subnet in the form xxx.xxx.xxx.xxx/xx I’ll get the response

    AllowedIP_label
        "192.168.178.0/24" ist keine IP

to add the network with the commandline works

fail2ban-client set <jail> addignoreip xxx.xxx.xxx.xxx/xx

stephdl (Stéphane de Labrusse) 2018-05-11 13:06:57 UTC #2

Honestly you find a bug, but I cannot blame me, I use a library use Net::IPv4Addr qw(ipv4_chkip); in https://github.com/NethServer/nethserver-fail2ban/blob/ns7/root/etc/e-smith/templates/etc/fail2ban/jail.local/01localaccess that should prevent to use your network, once you expand your template if you look to /etc/fail2ban/jail.local you will see your network truncated. It misses the /24, it is not a blocking bug because the IP 192.168.178.0 doesn’t exist, so I won’t fix it.

I do not want to allow a network from fail2ban, if you want to do it, then add it by the trusted network panel.

Sorry but security is my first concern…when I can

pnemenz 2018-05-11 15:08:35 UTC #3

So when I add the net as trusted network fail2ban would handle these ip’s like they are on the whitelist or as local network?

stephdl (Stéphane de Labrusse) 2018-05-11 15:45:55 UTC #4

Exactly, this post should be marked as good answer (change the bug category to support), when you want to allow a whole network to fail2ban, then set the network in the trusted-network panel and the whole network will be ignored like your local network.

your topic should be changed to ‘Fail2ban : ignore IP from network’