From b6d0e8ad9c7b688e8bc4dd375bdc897293a21320 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 16:31:45 +1000
Subject: [PATCH 1/3] ENH: add ipfw rule for bsd using the tables.

---
 config/action.d/bsd-ipfw.conf | 82 +++++++++++++++++++++++++++++++++++
 config/jail.conf              | 13 ++++++
 2 files changed, 95 insertions(+)
 create mode 100644 config/action.d/bsd-ipfw.conf

diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf
new file mode 100644
index 00000000..33f176e4
--- /dev/null
+++ b/config/action.d/bsd-ipfw.conf
@@ -0,0 +1,82 @@
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Ken Menzel
+#              Daniel Black (start/stop)
+#              Fabian Wenk (many ideas as per fail2ban users list)
+#
+# Ensure firewall_enable="YES" in the top of /etc/rc.conf
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num deny <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =  [ -f <startstatefile> ] && ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
+
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = 
+
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+# requires an ipfw rule like "deny ip from table(1) to me"
+actionban = ipfw table <table> add <ip>
+
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = ipfw table <table> delete <ip>
+
+[Init]
+# Option:  table
+# Notes:   The ipfw table to use. If a ipfw rule using this table already exists,
+#          this action will not create a ipfw rule to block it and the following
+#          options will have no effect.
+# Values:  NUM
+table = 1
+
+# Option:  port
+# Notes.:  Specifies port to monitor. Blank indicate block all ports.
+# Values:  [ NUM | STRING ]
+#
+port = 
+
+# Option:  startstatefile
+# Notes:   A file to indicate that the table rule that was added. Ensure it is unique per table.
+# Values:  STRING
+startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
+
+# Option:  action
+# Notes:   This is the action to take for automaticly created rules. See the 
+#          ACTION defination at the top of man ipfw for allowed values.
+#          "deny" and "unreach port" are probably the useful.
+# Values:  STRING
+action = deny
+
+# Option: block
+# Notes:  This is how much to block.
+#         Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = ip
diff --git a/config/jail.conf b/config/jail.conf
index 8b82d1d7..17c4dfe9 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -139,6 +139,19 @@ action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = /var/log/sshd.log
 maxretry = 5
 
+# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
+# table number must be unique.
+# 
+# This will create a deny rule for that table ONLY if a rule 
+# for the table doesn't ready exist.
+#
+[ssh-bsd-ipfw]
+enabled  = false
+filter   = sshd
+action   = bsd-ipfw[port=ssh,table=1]
+logpath  = /var/log/auth.log
+maxretry = 5
+
 # This jail demonstrates the use of wildcards in "logpath".
 # Moreover, it is possible to give other files on a new line.
 

From f402609f19fcbf2467adbe9d64766fa9107aad30 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 16:32:11 +1000
Subject: [PATCH 2/3] DOC: credits for bsd-ipfw

---
 ChangeLog | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index c80e3b3c..35c706cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -69,6 +69,9 @@ Borreli, blotus:
    * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442.
   Daniel Black
    * [be06b1b] Add action for iptables-ipsets. Closes gh-102.
+  Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk
+   * [b6d0e8a] Add and enhance the bsd-ipfw action from
+     FreeBSD ports.
   Soulard Morgan
    * [f336d9f] Add filter for webmin. Closes gh-99.
 - Enhancements:

From 8a17a70d250b515f01ec6091d5e71e27fed0a878 Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Fri, 3 May 2013 17:12:55 +1000
Subject: [PATCH 3/3] BF: missed MANIFEST include

---
 MANIFEST | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MANIFEST b/MANIFEST
index 364c0b08..0a0cbbce 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -97,6 +97,7 @@ config/filter.d/dropbear.conf
 config/filter.d/lighttpd-auth.conf
 config/filter.d/recidive.conf
 config/filter.d/roundcube-auth.conf
+config/action.d/bsd-ipfw.conf
 config/action.d/dummy.conf
 config/action.d/iptables-ipset-proto4.conf
 config/action.d/iptables-ipset-proto6.conf