My firewall leaks, sometimes.  I saw this behaviour with FireHOL and
tried Shorewall instead but it continues.  Advice in #shorewall on
freenode was that my shorewall configuration is valid.

The firewall has a rule to drop HTTP traffic if the source address is
in an ipset.  The ipset is maintained by fail2ban and created by
/etc/shorewall/init:

   ipset create f2b-http4 hash:ip family inet  comment timeout 2147483 -exist

This is on debian stable, uname -v prints "#1 SMP Debian
4.19.98-1+deb10u1 (2020-04-27)".  In debian's "alternatives" system,
iptables is symlinked to /usr/sbin/iptables-nft.

The rule is on line 66 in the attached 'iptables-save -c' output.  The
rule usually works but sometimes it doesn't.  An example occurrence
follows (times are in BST).

2020-05-02 16:23 last reboot.
2020-05-04 21:03 shorewall last restarted.
2020-05-04 21:13 fail2ban last restarted.
2020-05-05 10:02 I saved the contents of the ipset f2b-http4 to a file.
2020-05-06 04:22 the webserver logged a request from 193.118.53.194.
2020-05-06 04:22 fail2ban warned "193.118.53.194 already banned".

The address was in my saved file, before the request:

  # grep '193\.118\.53\.194' ~/f2b-http4-2020-05-05T10:02+01:00.txt 
  193.118.53.194 timeout 2101355 comment "wronghost"

The address was still in the ipset after the request:

  # date +%s && grep '193\.118\.53\.194' <(ipset list f2b-http4)
  1588750964
  193.118.53.194 timeout 2019727 comment "wronghost"

The decrement in the timeout (from 2101355 to 2019727) matches the
time elapsed from saving the file to checking the ipset:

  # date +%s --date="2020-05-05T10:02+01:00"
  1588669320
  # echo $((1588669320 + (2101355 - 2019727)))
  1588750948
  # echo $((1588750964 - 1588750948))
  16

i.e. they match to within 16s (my file timestamp has minute resolution).

I think the ip address was in the ipset f2b-http4 continuously before,
during and after the time of the http request.  Yet the address was
able to reach port 80 at 04:22 today.  How?

Thanks,
-- 
Nick