From f2bcf84893b13e1dd69b63074c0064b79978af1d Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sat, 31 Aug 2013 11:40:04 +1000
Subject: [PATCH] BF: action.d/bsd-ipfw - use blocktype instead of unused
 action for icmp rejecting blocked packets

---
 ChangeLog                     |  4 +++-
 config/action.d/bsd-ipfw.conf | 17 +++++++++--------
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c3811a47..cadca394 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,7 +32,9 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
    * action.d/hostsdeny -- NOTE: new dependancy 'ed'. Switched to use 'ed' across
      all platforms to ensure permissions are the same before and after a ban -
      closes gh-266. hostsdeny supports daemon_list now too.
-  * filter.d/roundcube-auth - timezone offset can be positive or negative
+   * filter.d/roundcube-auth - timezone offset can be positive or negative
+   * action.d/bsd-ipfw - action option unsed. Fixed to blocktype for
+     consistency. default to port unreach instead of deny
   Rolf Fokkens
    * action.d/dshield.conf and complain.conf -- reorder mailx arguements.
 	   https://bugzilla.redhat.com/show_bug.cgi?id=998020
diff --git a/config/action.d/bsd-ipfw.conf b/config/action.d/bsd-ipfw.conf
index 059de386..1285361d 100644
--- a/config/action.d/bsd-ipfw.conf
+++ b/config/action.d/bsd-ipfw.conf
@@ -14,7 +14,7 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num deny <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
+actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num <blocktype> <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" )
 
 
 # Option:  actionstop
@@ -68,15 +68,16 @@ port =
 # Values:  STRING
 startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
 
-# Option:  action
-# Notes:   This is the action to take for automaticly created rules. See the 
-#          ACTION defination at the top of man ipfw for allowed values.
-#          "deny" and "unreach port" are probably the useful.
-# Values:  STRING
-action = deny
-
 # Option: block
 # Notes:  This is how much to block.
 #         Can be "ip", "tcp", "udp" or various other options.
 # Values: STRING
 block = ip
+
+# Option:  blocktype
+# Notes.:  How to block the traffic. Use a action from man 5 ipfw
+#          Common values: deny, unreach port, reset
+#          ACTION defination at the top of man ipfw for allowed values.
+# Values:  STRING
+#
+blocktype = unreach port