# Fail2Ban configuration file # # OpenBSD pf ban/unban # # Author: Nick Hilliard # Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6 # Modified by: Balazs Mateffy adding allproto option so all traffic gets blocked from the malicious source # # [Definition] # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # # we don't enable PF automatically; to enable run pfctl -e # or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD) # also, these rulesets are loaded into (nested) anchors # to enable them, add as wildcard: # anchor "f2b/*" # or using jail names: # anchor f2b { # anchor name1 # anchor name2 # ... # } # to your main pf ruleset, where "namei" are the names of the jails # which invoke this action # to block all protocols use the pf[protocol=all] option actionstart = echo "table <-> persist counters" | -f- port=""; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi protocol=""; if [ "$protocol" != "all" ]; then protocol="proto $protocol"; else protocol=all; fi echo " $protocol from <-> to " | -f- # Option: start_on_demand - to start action on demand # Example: `action=pf[actionstart_on_demand=true]` actionstart_on_demand = false # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # # we only disable PF rules we've installed prior actionstop = -sr 2>/dev/null | grep -v - | -f- %(actionflush)s -t - -T kill # Option: actionflush # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) # Values: CMD # actionflush = -t - -T flush # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -sr | grep -q - # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures #