mirror of https://github.com/fail2ban/fail2ban
improve PF action and make IPv6 aware
Alexander Koeppe
sebres
parent
1a6450643d
commit
ed2f3ef77d
|
|
@ -3,6 +3,7 @@
|
|||
# OpenBSD pf ban/unban
|
||||
#
|
||||
# Author: Nick Hilliard <nick@foobar.org>
|
||||
# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
|
||||
#
|
||||
#
|
||||
|
||||
|
|
@ -12,23 +13,27 @@
|
|||
# Notes.: command executed once at the start of Fail2Ban.
|
||||
# Values: CMD
|
||||
#
|
||||
# we don't enable PF automatically, as it will be enabled elsewhere
|
||||
actionstart =
|
||||
# we don't enable PF automatically; to enable run pfctl -e
|
||||
# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
|
||||
actionstart = echo "table <<tablename>-<name>> persist counters" | pfctl -f-
|
||||
echo "block proto <protocol> from <<tablename>-<name>> to any port <port>" | pfctl -f-
|
||||
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
# we don't disable PF automatically either
|
||||
actionstop =
|
||||
# we only disable PF rules we've installed prior
|
||||
actionstop = pfctl -sr 2>/dev/null | grep -v '<tablename>-<name>' | pfctl -f-
|
||||
pfctl -t <tablename>-<name> -T flush
|
||||
pfctl -t <tablename>-<name> -T kill
|
||||
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck =
|
||||
actioncheck = pfctl -sr | grep -q '<tablename>-<name>'
|
||||
|
||||
|
||||
# Option: actionban
|
||||
|
|
@ -39,7 +44,7 @@ actioncheck =
|
|||
# <time> unix timestamp of the ban time
|
||||
# Values: CMD
|
||||
#
|
||||
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
|
||||
actionban = pfctl -t <tablename>-<name> -T add <ip>
|
||||
|
||||
|
||||
# Option: actionunban
|
||||
|
|
@ -51,7 +56,7 @@ actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
|
|||
# Values: CMD
|
||||
#
|
||||
# note -r option used to remove matching rule
|
||||
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
|
||||
actionunban = pfctl -t <tablename>-<name> -T delete <ip>
|
||||
|
||||
[Init]
|
||||
# Option: tablename
|
||||
|
|
@ -60,3 +65,15 @@ actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32
|
|||
#
|
||||
tablename = fail2ban
|
||||
|
||||
# Option: protocol
|
||||
# Notes.: internally used by config reader for interpolations.
|
||||
# Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
|
||||
#
|
||||
protocol = tcp
|
||||
|
||||
# Option: port
|
||||
# Notes.: the port to block, defaults to any
|
||||
# Values: [ STRING ]
|
||||
#
|
||||
port = any
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue