FreeBSD Port: py27-fail2ban-0.10.1

Janky Jay, III jankyj at unfs.us
Tue Oct 17 16:21:25 UTC 2017 

Hello,

	In the new 0.10 version, the action rule creates the tables for you
based on the jail configuration. If you look at the jail files, you'll
see that you now call pfctl using additional arguments such as ports
that are affected and a suffix to add to the default "f2b-" table name.

	So, essentially, there is no reason to create tables in the
pf.conf/pf.rules file anymore. They are automatically created when a
fail2ban filter is triggered and the IP is then added to it.

On 10/17/2017 07:16 AM, Alex V. Petrov wrote:
> In the old version I did so.
> 
> 
> 17.10.2017 19:47, Tommy Scheunemann пишет:
>> Hi,
>>
>> a simple setup that does the job for me:
>>
>> In /etc/pf.conf (bge0 is my external interface)
>>
>> --- SNIP ---
>> int_ext="bge0"
>> ...
>> table <blocked_hosts>
>> ...
>> block in quick on $int_ext from <badhosts> to any
>> ...
>> --- SNIP ---
>>
>> And in ${PREFIX}/fail2ban/action.d defining a new "pf" action, e.g. pf.conf
>>
>> --- SNIP ---
>> [Definition]
>> actionban = /usr/local/bin/drop_ban <ip>
>> actionunban = /usr/local/bin/drop_unban <ip>
>> actioncheck =
>> actionstart =
>> actionstop =
>>
>> [Init]
>> --- SNIP ---
>>
>> And the "drop_ban" and "drop_unban" scripts:
>>
>> for ban:
>>
>> --- SNIP ---
>> #!/bin/sh
>> IP=$1
>> /sbin/pfctl -t badhosts -T add $IP
>> --- SNIP ---
>>
>> for unban
>>
>> --- SNIP ---
>> #!/bin/sh
>> IP=$1
>> /sbin/pfctl -t badhosts -T del $IP
>> --- SNIP ---
>>
>> I'm using scripts instead of directly using actionban / actionunban to
>> do some additional things like running a tcpdrop, having some better
>> logging.
>>
>> Once done with all this, you can use "action = pf" in your jail.conf file.
>>
>> Apart this I'd highly recommend to put all this into some configuration
>> system (Ansible, Puppet, Cfengine etc.).
>> Updating the package / port will overwrite your local changes !
>>
>> Have fun & good luck
>>
>> On Tue, 17 Oct 2017, Alex V. Petrov wrote:
>>
>>> Need a working sample for the new version of the port for pf.
>>>
>>> -----
>>> Alex.
>>> _______________________________________________
>>> freebsd-ports at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>>> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"
>>>
>>
>>
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20171017/163d5759/attachment.sig>

More information about the freebsd-ports mailing list