© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
I use ``sshguard`` to protect ssh server.
One of its usages is based on ipset: it simply fills ipset with bad ip addresses,
and you block connections when source is in this address,
like
``m set --match-set sshguard4 src -j DROP``
With ufw this can be added to ``rules.before``, but ufw starts before ``sshguard``, so it doesn't see this set, and simply fails leaving my machine with an empty INPUT chain with DROP policy :)
People even wrote systemd units that run before ufw just to create ipset
https:/
While I can use chains instead of ipset (unlike ipset, a chain could be created with ufw) I believe
ipset is a better solution of the huge list of IP addresses.
``netfilter-
I think ``ufw`` must have the ability to create an empty ipset to be compatible with sshguard.