Centos 7 FirewallD Add/Delete/Log Rich Rule

Centos 7 has firewalld which has many options and a new language "rich language". I was looking for deleting a rich rule syntax which I found at last at fedora project wiki .
Here is a delete rich rule
 firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="ip adress" reject'
 
which is added previously to the active zone=public by the following

firewall-cmd --add-rich-rule="rule family=ipv4 source address=ip_adress reject"

Here is to list all rich rules at a zone

firewall-cmd --zone=public --list-rich-rules

 If you wish to log packets you might need a rule like this
 firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="ip adress" log prefix="badboy" level="info" limit value="1/m" reject'

For further information please consult to wiki and official Redhat documentation.

Fail2ban Error on Centos 7 KVM instance

On Centos 7 I was struggling with fail2ban on different vm templates eg. OpenVZ and KVM. Previous post is about OpenVZ problems (not only about fail2ban) to which I could not find a solution yet.
Now I would say some words about KVM instance. fail2ban 0.9.2 was running on Centos 7.1.1503 with systemd backend. I was struggling to ban failed ssh attempts with the following config options in jail.local file

[DEFAULT]
backend = systemd
banaction = firewallcmd-ipset
bantime = 3600

[sshd]
enabled = true

Nothing seemed to be wrong with these options and log files. But I was getting an error like this

ERROR   ipset create fail2ban-sshd hash:ip timeout 3600
firewall-cmd --direct --add-rule  filter INPUT 0 -p tcp -m multiport -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
-- stdout: '\x1b[91mwrong priority\nusage: --direct --add-rule { ipv4 | ipv6 | eb } \x1b[00m\n'

As is easily seen, this is an error about ipset command which is triggered by fail2ban's actionstart command found in file /etc/fail2ban/action.d/firewallcmd-ipset.conf

actionstart = ipset create fail2ban- hash:ip timeout
             firewall-cmd --direct --add-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j

ipv4 option in the above command was missing and therefore I kept getting the error. By looking at the error output, it is understood that there must be ipv4|ipv6|eb keywords besides --add-rule. Hence adding the keyword ipv4 temporarily solves the problem. Temporarily because, I dont know what would happen if some ipv6 address try logging in your server.

Update: firewallcmd-ipset only works if your kernel has ipset module support. If your kernel is like

2.6.32-042stab108.8

dont expect firewallcmd-ipset work. So one must use firewallcmd-new action in this case, because it only uses firewalld not kernel ipset module.
The problem I faced was because a wrong template file firewallcmd-ipset.conf.

Centos 7 Minimal OpenVZ Template Problems

I am having trouble with this minimal installs. Although I have heard that Centos 7 has some issues with OpenVZ minimal template, I planned to use it with some struggle.
First problem I encounter is about misconfiguration of network cards in this OpenVZ template. Here is the offical bug report and here is a solution for the template. One needs to make an ethernet device up everytime after reboot if he did not have installed this patch to OpenVZ template using a command like this
ifup ifcfg-venet0   
or a temporary solution is adding 
ARPCHECK="no"
line to /etc/sysconfig/network-scripts/ifcfg-venet0:0 for my case which survives until next reboot.
Second issue is about fail2ban and various system logs. Banning failed ssh attempts is a common task of a system administrator. Fail2ban seems to work in case all ssh logs are streamed to file /var/log/secure. Unfortunately in Centos 7 minimal installs ssh logs are not streamed to this file. Actually there are very few files under /var/log directory. It seems that an important portion of logs are left to be arranged by journalctl command. I installed fail2ban but iIt does not work. After some search I realized that because there are no logs on /var/log/secure file, fail2ban does not recognize failed attempts. After reading this I made sure that the problem is as described. And now it is time to route all ssh logs to /var/log/secure and try to make fail2ban work.

Update: You do not need to stream logs to /var/log/secure or any other file. An option

backend = systemd

to [DEFAULT] section of config file (like jail.local) solves the problem easily. One can use systemd logs directly.