Merge pull request #3503 from repcsi/pf_allproto

BSD Pf allproto actiontype to block all communication from source on IP level
2023-12-10 16:11:05 +01:00 · 2023-12-10 16:11:05 +01:00 · 5277e91013
parent e03df4805f c03afd3ad4
commit 5277e91013
3 changed files with 9 additions and 4 deletions
--- a/1
+++ b/1
@ -22,6 +22,7 @@ Andrey G. Grozin
 Andy Fragen
 Arturo 'Buanzo' Busleiman
 Axel Thimm
 Balazs Mateffy
 Bas van den Dikkenberg
 Beau Raines
 Bill Heaton
--- a/config/action.d/pf.conf
+++ b/config/action.d/pf.conf
@ -4,6 +4,7 @@
 #
 # Author: Nick Hilliard <nick@foobar.org>
 # Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
 # Modified by: Balazs Mateffy adding allproto option so all traffic gets blocked from the malicious source
 #
 #
@ -26,9 +27,11 @@
 #     }
 # to your main pf ruleset, where "namei" are the names of the jails
 # which invoke this action
 # to block all protocols use the pf[protocol=all] option
 actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f-
              port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
-              echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
+              protocol="<protocol>"; if [ "$protocol" != "all" ]; then protocol="proto $protocol"; else protocol=all; fi
              echo "<block> $protocol from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
 # Option:  start_on_demand - to start action on demand
 # Example: `action=pf[actionstart_on_demand=true]`
@ -98,6 +101,7 @@ tablename = f2b
 #
 # The action you want pf to take.
 # Probably, you want "block quick", but adjust as needed.
 # If you want to log all blocked use "blog log quick"
 block = block quick
 # Option:  protocol
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@ -1832,7 +1832,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 				'start': (
 					'`echo "table <f2b-j-w-pf> persist counters" | pfctl -a f2b/j-w-pf -f-`',
 					'port="<port>"',
-					'`echo "block quick proto tcp from <f2b-j-w-pf> to any port $port" | pfctl -a f2b/j-w-pf -f-`',
+					'`echo "block quick $protocol from <f2b-j-w-pf> to any port $port" | pfctl -a f2b/j-w-pf -f-`',
 				),
 				'flush': (
 					'`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T flush`',
@ -1855,7 +1855,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 				'start': (
 					'`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -a f2b/j-w-pf-mp -f-`',
 					'port="http,https"',
-					'`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port $port" | pfctl -a f2b/j-w-pf-mp -f-`',
+					'`echo "block quick $protocol from <f2b-j-w-pf-mp> to any port $port" | pfctl -a f2b/j-w-pf-mp -f-`',
 				),
 				'flush': (
 					'`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T flush`',
@ -1877,7 +1877,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 				'ip4': (), 'ip6': (),
 				'ip4-start': (
 					'`echo "table <f2b-j-w-pf-ap> persist counters" | pfctl -a f2b/j-w-pf-ap -f-`',
-					'`echo "block quick proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`',
+					'`echo "block quick $protocol from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`',
 				),
 				'ip6-start': (), # the same as ipv4
 				'flush': (