mirror of https://github.com/fail2ban/fail2ban
improve PF action and make IPv6 aware
Alexander Koeppe
parent
13ae078797
commit
4295ded9b6
|
|
@ -3,6 +3,7 @@
|
||||||
# OpenBSD pf ban/unban
|
# OpenBSD pf ban/unban
|
||||||
#
|
#
|
||||||
# Author: Nick Hilliard <nick@foobar.org>
|
# Author: Nick Hilliard <nick@foobar.org>
|
||||||
|
# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
@ -12,23 +13,27 @@
|
||||||
# Notes.: command executed once at the start of Fail2Ban.
|
# Notes.: command executed once at the start of Fail2Ban.
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
# we don't enable PF automatically, as it will be enabled elsewhere
|
# we don't enable PF automatically; to enable run pfctl -e
|
||||||
actionstart =
|
# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
|
||||||
|
actionstart = echo "table <<tablename>-<name>> persist counters" | pfctl -f-
|
||||||
|
echo "block proto <protocol> from <<tablename>-<name>> to any port <port>" | pfctl -f-
|
||||||
|
|
||||||
|
|
||||||
# Option: actionstop
|
# Option: actionstop
|
||||||
# Notes.: command executed once at the end of Fail2Ban
|
# Notes.: command executed once at the end of Fail2Ban
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
# we don't disable PF automatically either
|
# we only disable PF rules we've installed prior
|
||||||
actionstop =
|
actionstop = pfctl -sr 2>/dev/null | grep -v '<tablename>-<name>' | pfctl -f-
|
||||||
|
pfctl -t <tablename>-<name> -T flush
|
||||||
|
pfctl -t <tablename>-<name> -T kill
|
||||||
|
|
||||||
|
|
||||||
# Option: actioncheck
|
# Option: actioncheck
|
||||||
# Notes.: command executed once before each actionban command
|
# Notes.: command executed once before each actionban command
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actioncheck =
|
actioncheck = pfctl -sr | grep -q '<tablename>-<name>'
|
||||||
|
|
||||||
|
|
||||||
# Option: actionban
|
# Option: actionban
|
||||||
|
|
@ -39,7 +44,7 @@ actioncheck =
|
||||||
# <time> unix timestamp of the ban time
|
# <time> unix timestamp of the ban time
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
|
actionban = pfctl -t <tablename>-<name> -T add <ip>
|
||||||
|
|
||||||
|
|
||||||
# Option: actionunban
|
# Option: actionunban
|
||||||
|
|
@ -51,7 +56,7 @@ actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
|
||||||
# Values: CMD
|
# Values: CMD
|
||||||
#
|
#
|
||||||
# note -r option used to remove matching rule
|
# note -r option used to remove matching rule
|
||||||
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
|
actionunban = pfctl -t <tablename>-<name> -T delete <ip>
|
||||||
|
|
||||||
[Init]
|
[Init]
|
||||||
# Option: tablename
|
# Option: tablename
|
||||||
|
|
@ -60,3 +65,15 @@ actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
|
||||||
#
|
#
|
||||||
tablename = fail2ban
|
tablename = fail2ban
|
||||||
|
|
||||||
|
# Option: protocol
|
||||||
|
# Notes.: internally used by config reader for interpolations.
|
||||||
|
# Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
|
||||||
|
#
|
||||||
|
protocol = tcp
|
||||||
|
|
||||||
|
# Option: port
|
||||||
|
# Notes.: the port to block, defaults to any
|
||||||
|
# Values: [ STRING ]
|
||||||
|
#
|
||||||
|
port = any
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue