diff options
| author | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
|---|---|---|
| committer | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
| commit | 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch) | |
| tree | 9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf | |
| parent | 6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff) | |
| download | bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip | |
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf')
| -rw-r--r-- | straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf new file mode 100644 index 0000000..7181ed9 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf @@ -0,0 +1,128 @@ +# Fail2Ban configuration file +# +# OpenBSD pf ban/unban +# +# Author: Nick Hilliard <nick@foobar.org> +# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6 +# Modified by: Balazs Mateffy adding allproto option so all traffic gets blocked from the malicious source +# +# + +[Definition] + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +# we don't enable PF automatically; to enable run pfctl -e +# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD) +# also, these rulesets are loaded into (nested) anchors +# to enable them, add as wildcard: +# anchor "f2b/*" +# or using jail names: +# anchor f2b { +# anchor name1 +# anchor name2 +# ... +# } +# to your main pf ruleset, where "namei" are the names of the jails +# which invoke this action +# to block all protocols use the pf[protocol=all] option +actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f- + port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi + protocol="<protocol>"; if [ "$protocol" != "all" ]; then protocol="proto $protocol"; else protocol=all; fi + echo "<block> $protocol from <<tablename>-<name>> to <actiontype>" | <pfctl> -f- + +# Option: start_on_demand - to start action on demand +# Example: `action=pf[actionstart_on_demand=true]` +actionstart_on_demand = false + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +# we only disable PF rules we've installed prior +actionstop = <pfctl> -sr 2>/dev/null | grep -v <tablename>-<name> | <pfctl> -f- + %(actionflush)s + <pfctl> -t <tablename>-<name> -T kill + + +# Option: actionflush +# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) +# Values: CMD +# +actionflush = <pfctl> -t <tablename>-<name> -T flush + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = <pfctl> -sr | grep -q <tablename>-<name> + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: <ip> IP address +# <failures> number of failures +# <time> unix timestamp of the ban time +# Values: CMD +# +actionban = <pfctl> -t <tablename>-<name> -T add <ip> + + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: <ip> IP address +# <failures> number of failures +# <time> unix timestamp of the ban time +# Values: CMD +# +# note -r option used to remove matching rule +actionunban = <pfctl> -t <tablename>-<name> -T delete <ip> + +# Option: pfctl +# +# Use anchor as jailname to manipulate affected rulesets only. +# If more parameter expected it can be extended with `pf[pfctl="<known/pfctl> ..."]` +# +pfctl = pfctl -a f2b/<name> + +[Init] +# Option: tablename +# Notes.: The pf table name. +# Values: [ STRING ] +# +tablename = f2b + +# Option: block +# +# The action you want pf to take. +# Probably, you want "block quick", but adjust as needed. +# If you want to log all blocked use "blog log quick" +block = block quick + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp +# +protocol = tcp + +# Option: actiontype +# Notes.: defines additions to the blocking rule +# Values: leave empty to block all attempts from the host +# Default: Value of the multiport +actiontype = <multiport> + +# Option: allports +# Notes.: default addition to block all ports +# Usage.: use in jail config: "banaction = pf[actiontype=<allports>]" +allports = any + +# Option: multiport +# Notes.: addition to block access only to specific ports +# Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]" +multiport = any port $port + |
