aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf
diff options
context:
space:
mode:
authorLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
committerLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
commit39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch)
tree9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf
parent6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff)
downloadbin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz
bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf')
-rw-r--r--straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf94
1 files changed, 94 insertions, 0 deletions
diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf
new file mode 100644
index 0000000..d002945
--- /dev/null
+++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf
@@ -0,0 +1,94 @@
+# Fail2Ban configuration file
+#
+# Author: Nick Munger
+# Modified by: Ken Menzel
+# Daniel Black (start/stop)
+# Fabian Wenk (many ideas as per fail2ban users list)
+#
+# Ensure firewall_enable="YES" in the top of /etc/rc.conf
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values: CMD
+#
+actionstart = ipfw show | fgrep -c -m 1 -s 'table(<table>)' > /dev/null 2>&1 || (
+ num=$(ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 == b) { b = $1 + 1 } } END { print b }');
+ ipfw -q add "$num" <blocktype> <block> from table\(<table>\) to me <port>; echo "$num" > "<startstatefile>"
+ )
+
+
+# Option: actionstop
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+# Values: CMD
+#
+actionstop = [ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+# requires an ipfw rule like "deny ip from table(1) to me"
+actionban = e=`ipfw table <table> add <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists' ] || echo "$e" | grep -q "record already exists" || { echo "$e" 1>&2; exit $x; }
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = e=`ipfw table <table> delete <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process' ] || echo "$e" | grep -q "record not found" || { echo "$e" 1>&2; exit $x; }
+
+[Init]
+# Option: table
+# Notes: The ipfw table to use. If a ipfw rule using this table already exists,
+# this action will not create a ipfw rule to block it and the following
+# options will have no effect.
+# Values: NUM
+table = 1
+
+# Option: port
+# Notes.: Specifies port to monitor. Blank indicate block all ports.
+# Values: [ NUM | STRING ]
+#
+port =
+
+# Option: startstatefile
+# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table.
+# Values: STRING
+startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
+
+# Option: block
+# Notes: This is how much to block.
+# Can be "ip", "tcp", "udp" or various other options.
+# Values: STRING
+block = ip
+
+# Option: blocktype
+# Notes.: How to block the traffic. Use a action from man 5 ipfw
+# Common values: deny, unreach port, reset
+# ACTION definition at the top of man ipfw for allowed values.
+# Values: STRING
+#
+blocktype = unreach port
+
+# Option: lowest_rule_num
+# Notes: When fail2ban starts with action and there is no rule for the given table yet
+# then fail2ban will start looking for an empty slot starting with this rule number.
+# Values: NUM
+lowest_rule_num = 111
+
+