From 861ce4177c07f9771725b2dd94ae8a9b1ed237d7 Mon Sep 17 00:00:00 2001
From: Christoph Theis <theis@gmx.at>
Date: Tue, 14 Feb 2017 18:31:42 +0100
Subject: [PATCH 1/2] #1689: Make lowest rule number in action.d/bsd-ipfw.conf
 configurable

---
 ChangeLog                     |  3 +++
 config/action.d/bsd-ipfw.conf | 10 +++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b37d7a08..9aa27c09 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,9 @@ releases.
       (0.10th resp. IPv6 relevant only, amend for gh-1479)
 * config/pathes-freebsd.conf
     - Fixed filenames for apache and nginx log files (gh-1667)
+* action.d/bsd-ipfw.conf
+    - Make the rule number, the action starts looking for a free slot to insert
+      the new rule, configurable (gh-1689)
 
 ### New Features
 * New Actions:
diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf
index 8b0a51aa..65d4294a 100644
--- a/config/action.d/bsd-ipfw.conf
+++ b/config/action.d/bsd-ipfw.conf
@@ -14,7 +14,7 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 < b) {} else if ($1 == b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
 
 
 # Option:  actionstop
@@ -81,3 +81,11 @@ block = ip
 # Values:  STRING
 #
 blocktype = unreach port
+
+# Option:  lowest_rule_num
+# Notes:   When fail2ban starts with action and there is no rule for the given table yet
+#          then fail2ban will start looking for an empty slot starting with this rule number.
+# Values:  NUM
+lowest_rule_num = 1
+
+

From f27e053592767ef1fd37da0cf242ee49c6bbebcc Mon Sep 17 00:00:00 2001
From: "Serg G. Brester" <github@sebres.de>
Date: Sat, 1 Jul 2017 17:10:53 +0200
Subject: [PATCH 2/2] Update bsd-ipfw.conf

increased starting rule number (lowest_rule_num = 111)
---
 config/action.d/bsd-ipfw.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf
index 65d4294a..65a5e39b 100644
--- a/config/action.d/bsd-ipfw.conf
+++ b/config/action.d/bsd-ipfw.conf
@@ -86,6 +86,6 @@ blocktype = unreach port
 # Notes:   When fail2ban starts with action and there is no rule for the given table yet
 #          then fail2ban will start looking for an empty slot starting with this rule number.
 # Values:  NUM
-lowest_rule_num = 1
+lowest_rule_num = 111