Is there a recommended way to use fail2ban (or snort or the firewall) on FCOS?
Looking around, it seems that some users are happily running
fail2ban in a container this way: https://github.com/crazy-max/docker-fail2ban
Hhm, I’m having the impression that fedora wants to get away from docker in the long run. However, the docker-fail2ban solution looks like it could only work on docker (Or is there any change to get this working with podman in root mode? What about the
--cap-add NET_ADMIN --cap-add NET_RAW stuff with podman?)
I guess installing fail2ban with rpm-ostree is rather discouraged and/or will not work?!?
Podman does support privileged mode and can add/drop specific capabilities for a container.
In general, installing packages directly on the host is discouraged and likely to break auto-upgrades. Consider using containerized services wherever possible.
For firewalls, there are the following (disabled) systemd unit:
Configuration could be placed in:
Please be aware that
ip(6)tables is the legacy version. To use
ip(6)table in conjunction, you have to switch to the
*-nft versions (see alternatives).
See this doc page for setting up alternatives on Fedora CoreOS: Setting alternatives :: Fedora Docs