I use ``sshguard`` to protect ssh server.
One of its usages is based on ipset: it simply fills ipset with bad ip addresses,
and you block connections when source is in this address,
like
``m set --match-set sshguard4 src -j DROP``
With ufw this can be added to ``rules.before``, but ufw starts before ``sshguard``, so it doesn't see this set, and simply fails leaving my machine with an empty INPUT chain with DROP policy :)
People even wrote systemd units that run before ufw just to create ipset
While I can use chains instead of ipset (unlike ipset, a chain could be created with ufw) I believe
ipset is a better solution of the huge list of IP addresses.
``netfilter-persistent`` tool loads ipset before iptables, so there is no such problem there.
I think ``ufw`` must have the ability to create an empty ipset to be compatible with sshguard.
I use ``sshguard`` to protect ssh server.
One of its usages is based on ipset: it simply fills ipset with bad ip addresses,
and you block connections when source is in this address,
like
``m set --match-set sshguard4 src -j DROP``
With ufw this can be added to ``rules.before``, but ufw starts before ``sshguard``, so it doesn't see this set, and simply fails leaving my machine with an empty INPUT chain with DROP policy :)
People even wrote systemd units that run before ufw just to create ipset
https:/ /selivan. github. io/2018/ 07/27/ipset- save-with- ufw-and- iptables- persistent- and.html
While I can use chains instead of ipset (unlike ipset, a chain could be created with ufw) I believe
ipset is a better solution of the huge list of IP addresses.
``netfilter- persistent` ` tool loads ipset before iptables, so there is no such problem there.
I think ``ufw`` must have the ability to create an empty ipset to be compatible with sshguard.