Nick Howitt wrote:
It looks like a firewall restart has happened and this has wiped a lot of f2b firewall bits. Why it restarted, I don't know. When that happens, when f2b tries to shut down, lots of its rules which it wants to delete no longer exist generating those errors. Ignore them.

It restarted when I added an IP to the Firewall:Incoming list in the Firewall App. This happens each and every time I add an IP to the list. It isn't in the custom firewall menu.

Nick Howitt wrote:Correct me if I'm wrong, but this is ClearOS 7. Do you have app-attack-detector installed any more?

Yes, this is COS 7.x. I reinstalled app-attack-detector from the MarketPlace after I realized that the problems that I was having was with using systemd log. I left my changes in the jail.local but everything else is standard.

Nick Howitt wrote:What firewall files do you have related to fail2ban or attack-detector in /etc/clearos/firewall.d/?

I haven't added anything to the firewall.d manually here is the list:

Nick Howitt wrote:Also what is the contents of /etc/clearos/firewall.d/custom and /etc/clearos/firewall.d/local, if any.

Nick Howitt wrote:AFAIK, the firewall only restarts when deleting a rule, not when adding it.

In my case it restarts after adding a rule. I haven't tried deleting any rules.
It should be able to delete a rule without restarting too.

Nick Howitt wrote:Although it restarts when you change and save /etc/clearos/firewall.d/local, so it may do the same with /etc/clearos/firewall.d/custom, which I think is what you are effectively editing.

I haven't a clue where the block rules that are added in the Firewall:Incoming are added. But each time I add one, the firewall restarts and kills fail2ban.

On COS5.2, I had a list of IPs that I blocked because they were a pest. It was some sort of local file rc.firewall.local that had a list of commands with IPTABLES -A INPUT -s ipaddress -j -DROP. I used to manually add the IPs there so they would reblock upon a system restart. The IPTABLES command would add the block manually without restarting the firewall. I don't know where to add these now with this new firewall.d.