[pkg-netfilter-team] Bug#959989: nftables: nft does not recognize imap service

Artur Pydo debian-bts at pydo.org
Fri May 8 00:03:42 BST 2020 

Package: nftables
Version: 0.9.0-2
Severity: normal

Dear Maintainer,

While setting fail2ban with nftables (with default /etc/nftables.conf) the firewall initialization command failed on fail2ban start :

nft insert rule inet filter input tcp dport \{ smtp,465,submission,imap,imaps,pop3,pop3s \} ip saddr @f2b-postfix-sasl reject

failed with the following error : Error: Could not resolve service: Servname not found in nft services list
The error was related to 'imap' service.

However, in /etc/services imap service is defined as follows :
imap2           143/tcp         imap            # Interim Mail Access P 2 and 4

This service main name is 'imap2' and there is also an alias set to 'imap'.
It seems that nft does not take into account this service alias.

Replacing 'imap' with 'imap2' solved the nft problem :
nft insert rule inet filter input tcp dport \{ smtp,465,submission,imap2,imaps,pop3,pop3s \} ip saddr @f2b-postfix-sasl reject

Please note that to solve this problem in fail2ban, one have to change the default ports list in jail.local.
Example of working /etc/fail2ban/jail.local :
[DEFAULT]
banaction = nftables-multiport
banaction_allports = nftables-allports

[postfix-sasl]
enabled  = true
port     = smtp,465,submission,imap2,imaps,pop3,pop3s

[dovecot]
enabled  = true
port    = pop3,pop3s,imap2,imaps,submission,465,sieve

One may expect to have imap service resolved in nft and to have a default working configuration in fail2ban

Thanks for your attention.

-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.5.0-0.bpo.2-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  dpkg          1.19.7
ii  libc6         2.28-10
ii  libgmp10      2:6.1.2+dfsg-4
ii  libjansson4   2.12-1
ii  libnftables0  0.9.0-2
ii  libreadline7  7.0-5

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables.conf changed [not included]

-- no debconf information

More information about the pkg-netfilter-team mailing list