aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf
diff options
context:
space:
mode:
Diffstat (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf')
-rw-r--r--straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf128
1 files changed, 128 insertions, 0 deletions
diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf
new file mode 100644
index 0000000..7181ed9
--- /dev/null
+++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf
@@ -0,0 +1,128 @@
+# Fail2Ban configuration file
+#
+# OpenBSD pf ban/unban
+#
+# Author: Nick Hilliard <nick@foobar.org>
+# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
+# Modified by: Balazs Mateffy adding allproto option so all traffic gets blocked from the malicious source
+#
+#
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values: CMD
+#
+# we don't enable PF automatically; to enable run pfctl -e
+# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
+# also, these rulesets are loaded into (nested) anchors
+# to enable them, add as wildcard:
+# anchor "f2b/*"
+# or using jail names:
+# anchor f2b {
+# anchor name1
+# anchor name2
+# ...
+# }
+# to your main pf ruleset, where "namei" are the names of the jails
+# which invoke this action
+# to block all protocols use the pf[protocol=all] option
+actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f-
+ port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
+ protocol="<protocol>"; if [ "$protocol" != "all" ]; then protocol="proto $protocol"; else protocol=all; fi
+ echo "<block> $protocol from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
+
+# Option: start_on_demand - to start action on demand
+# Example: `action=pf[actionstart_on_demand=true]`
+actionstart_on_demand = false
+
+# Option: actionstop
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+# Values: CMD
+#
+# we only disable PF rules we've installed prior
+actionstop = <pfctl> -sr 2>/dev/null | grep -v <tablename>-<name> | <pfctl> -f-
+ %(actionflush)s
+ <pfctl> -t <tablename>-<name> -T kill
+
+
+# Option: actionflush
+# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
+# Values: CMD
+#
+actionflush = <pfctl> -t <tablename>-<name> -T flush
+
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck = <pfctl> -sr | grep -q <tablename>-<name>
+
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+actionban = <pfctl> -t <tablename>-<name> -T add <ip>
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <time> unix timestamp of the ban time
+# Values: CMD
+#
+# note -r option used to remove matching rule
+actionunban = <pfctl> -t <tablename>-<name> -T delete <ip>
+
+# Option: pfctl
+#
+# Use anchor as jailname to manipulate affected rulesets only.
+# If more parameter expected it can be extended with `pf[pfctl="<known/pfctl> ..."]`
+#
+pfctl = pfctl -a f2b/<name>
+
+[Init]
+# Option: tablename
+# Notes.: The pf table name.
+# Values: [ STRING ]
+#
+tablename = f2b
+
+# Option: block
+#
+# The action you want pf to take.
+# Probably, you want "block quick", but adjust as needed.
+# If you want to log all blocked use "blog log quick"
+block = block quick
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
+#
+protocol = tcp
+
+# Option: actiontype
+# Notes.: defines additions to the blocking rule
+# Values: leave empty to block all attempts from the host
+# Default: Value of the multiport
+actiontype = <multiport>
+
+# Option: allports
+# Notes.: default addition to block all ports
+# Usage.: use in jail config: "banaction = pf[actiontype=<allports>]"
+allports = any
+
+# Option: multiport
+# Notes.: addition to block access only to specific ports
+# Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
+multiport = any port $port
+