ENH: add blocktype to all relevant actions. Also default the rejection to a ICMP reject rather than a drop

config/action.d/ipfilter.conf

@@ -37,7 +37,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
+actionban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -f -
 
 
 # Option:  actionunban
@@ -47,7 +47,12 @@ actionban = echo block in quick from <ip>/32 | /sbin/ipf -f -
 # Values:  CMD
 #
 # note -r option used to remove matching rule
-actionunban = echo block in quick from <ip>/32 | /sbin/ipf -r -f -
+actionunban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -r -f -
 
 [Init]
 
+# Option: Blocktype
+# Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent
+#         Shell expansion. This should be blank (unquoted) to drop the packet.
+# Values: STRING
+blocktype = "return-icmp(port-unr)"

config/action.d/ipfw.conf

@@ -35,7 +35,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = ipfw add deny tcp from <ip> to <localhost> <port>
+actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
 
 
 # Option:  actionunban
@@ -59,3 +59,11 @@ port = ssh
 # Values:  IP
 #
 localhost = 127.0.0.1
+
+
+# Option:  blocktype
+# Notes.:  How to block the traffic. Use a action from man 5 ipfw
+#          Common values: deny, unreach port, reset
+# Values:  STRING
+#
+blocktype = unreach port

config/action.d/iptables-allports.conf

@@ -37,7 +37,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -45,7 +45,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 
 [Init]
 
@@ -64,3 +64,10 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable

config/action.d/iptables-ipset-proto4.conf

@@ -25,13 +25,13 @@
 # Values:  CMD
 #
 actionstart = ipset --create fail2ban-<name> iphash
-              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
+              iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 #
-actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j DROP
+actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype>
              ipset --flush fail2ban-<name>
              ipset --destroy fail2ban-<name>
 
@@ -69,3 +69,9 @@ port = ssh
 #
 protocol = tcp
 
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable

config/action.d/iptables-ipset-proto6.conf

@@ -76,3 +76,9 @@ protocol = tcp
 bantime = 600
 
 
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable

config/action.d/iptables-multiport-log.conf

@@ -21,7 +21,7 @@ actionstart = iptables -N fail2ban-<name>
               iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
               iptables -N fail2ban-<name>-log
               iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
-              iptables -A fail2ban-<name>-log -j DROP
+              iptables -A fail2ban-<name>-log -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@@ -78,3 +78,10 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable

config/action.d/iptables-multiport.conf

@@ -35,7 +35,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -43,7 +43,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 
 [Init]
 
@@ -68,3 +68,10 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable

config/action.d/iptables-new.conf

@@ -37,7 +37,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -45,7 +45,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 
 [Init]
 
@@ -70,3 +70,10 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable

config/action.d/iptables-xt_recent-echo.conf

@@ -29,7 +29,7 @@
 #    own rules. The 3600 second timeout is independent and acts as a
 #    safeguard in case the fail2ban process dies unexpectedly. The
 #    shorter of the two timeouts actually matters.
-actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
+actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype>
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
@@ -70,3 +70,10 @@ name = default
 # Values:  [ tcp | udp | icmp | all ] Default: tcp
 #
 protocol = tcp
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable

config/action.d/iptables.conf

@@ -35,7 +35,7 @@ actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -43,7 +43,7 @@ actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
 
 [Init]
 
@@ -68,3 +68,11 @@ protocol = tcp
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
+
+Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+blocktype = REJECT --reject-with icmp-port-unreachable
+

config/action.d/route.conf

@@ -15,11 +15,10 @@
 #   - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
 
 [Definition]
-actionban   = ip route add <type> <ip>
-actionunban = ip route del <type> <ip>
+actionban   = ip route add <blocktype> <ip>
+actionunban = ip route del <blocktype> <ip>
 
-# Type of blocking
-#
-# Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
-
-type = blackhole
+# Option:  blocktype
+# Note:    Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
+# Values:  STRING
+blocktype = prohibit

config/action.d/shorewall.conf

@@ -39,7 +39,7 @@ actioncheck =
 # Tags:    See jail.conf(5) man page
 # Values:  CMD
 #
-actionban = shorewall drop <ip>
+actionban = shorewall <blocktype> <ip>
 
 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
@@ -48,3 +48,9 @@ actionban = shorewall drop <ip>
 # Values:  CMD
 #
 actionunban = shorewall allow <ip>
+
+# Option:  blocktype
+# Note:    This is what the action does with rules.
+#          See man page of shorewall for options that include drop, logdrop, reject, or logreject
+# Values:  STRING
+blocktype = reject