Is there a recommended way to use fail2ban (or snort or the firewall) on FCOS?
Looking around, it seems that some users are happily running fail2ban in a container this way: https://github.com/crazy-max/docker-fail2ban
Hhm, I’m having the impression that fedora wants to get away from docker in the long run. However, the docker-fail2ban solution looks like it could only work on docker (Or is there any change to get this working with podman in root mode? What about the --cap-add NET_ADMIN --cap-add NET_RAW stuff with podman?)
I guess installing fail2ban with rpm-ostree is rather discouraged and/or will not work?!?
Podman does support privileged mode and can add/drop specific capabilities for a container.
In general, installing packages directly on the host is discouraged and likely to break auto-upgrades. Consider using containerized services wherever possible.
For firewalls, there are the following (disabled) systemd unit:
/usr/lib/systemd/system/nftables.service/usr/lib/systemd/system/iptables.service/usr/lib/systemd/system/ip6tables.service
Configuration could be placed in:
/etc/sysconfig/nftables.conf/etc/sysconfig/iptables/etc/sysconfig/iptables-config/etc/sysconfig/ip6tables/etc/sysconfig/ip6tables-config
Please be aware that ip(6)tables is the legacy version. To use nft and ip(6)table in conjunction, you have to switch to the *-nft versions (see alternatives).
See this doc page for setting up alternatives on Fedora CoreOS: Setting alternatives :: Fedora Docs