Tweaks to action.d/pf.conf

Document recent changes. Add an option to customize the pf block rule (surely, what the user really wants, here, is "block quick").
2017-08-17 09:13:32 -05:00 · 2017-08-17 09:13:32 -05:00 · d646d06e91
parent fdcd847f4a
commit d646d06e91
2 changed files with 20 additions and 4 deletions
--- a/config/action.d/pf.conf
+++ b/config/action.d/pf.conf
@ -15,8 +15,17 @@
 #
 # we don't enable PF automatically; to enable run pfctl -e 
 # or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
 # also, these rulesets are loaded into (nested) anchors
 # to enable them, add
 #     anchor f2b {
 #        name1
 #        name2
 #        ...
 #     }
 # to your main pf ruleset, where "namei" are the names of the jails
 # which invoke this action
 actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f- 
-              echo "block proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
+              echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
 # Option:  start_on_demand - to start action on demand
 # Example: `action=pf[actionstart_on_demand=true]`
@ -75,6 +84,12 @@ pfctl = pfctl -a f2b/<name>
 #
 tablename = f2b
 # Option: block
 #
 # The action you want pf to take.
 # Probably, you want "block quick", but adjust as needed.
 block = block quick
 # Option:  protocol
 # Notes.:  internally used by config reader for interpolations.
 # Values:  [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
@ -96,3 +111,4 @@ allports = any
 # Notes.: addition to block access only to specific ports
 # Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
 multiport = any port <port>
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@ -1525,7 +1525,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip4': (), 'ip6': (),
 					'start': (
 						'`echo "table <f2b-j-w-pf> persist counters" | pfctl -a f2b/j-w-pf -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf> to any port <port>" | pfctl -a f2b/j-w-pf -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf> to any port <port>" | pfctl -a f2b/j-w-pf -f-`',
 					),
 					'stop': (
 						'`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`',
@ -1544,7 +1544,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip4': (), 'ip6': (),
 					'start': (
 						'`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -a f2b/j-w-pf-mp -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf-mp> to any port http" | pfctl -a f2b/j-w-pf-mp -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port http" | pfctl -a f2b/j-w-pf-mp -f-`',
 					),
 					'stop': (
 						'`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`',
@ -1563,7 +1563,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
 					'ip4': (), 'ip6': (),
 					'ip4-start': (
 						'`echo "table <f2b-j-w-pf-ap> persist counters" | pfctl -a f2b/j-w-pf-ap -f-`',
-						'`echo "block proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`',
+						'`echo "block quick proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`',
 					),
 					'ip6-start': (), # the same as ipv4
 					'stop': (