Date: Tue, 17 Oct 2017 10:15:28 -0600 From: "Janky Jay, III" <jankyj@unfs.us> To: freebsd-ports@freebsd.org Subject: Re: FreeBSD Port: py27-fail2ban-0.10.1 Message-ID: <07e73217-1b6c-07c6-562c-e1b0bf49cee4@unfs.us> In-Reply-To: <8aa48ea4-4740-539f-6bbe-0b95dba59b5c@gmail.com> References: <49fbc280-f598-6734-0bdb-dfd24de4fa56@gmail.com> <nycvar.OFS.7.76.1710171440310.1189@ybpnyubfg.zl.qbznva> <8aa48ea4-4740-539f-6bbe-0b95dba59b5c@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--knTtftxEHdXQ63SLogxXrpgPKMajagrCO
Content-Type: multipart/mixed; boundary="D6704BunhdjEdaPA45vJ3SdtQVfTkQsA4";
protected-headers="v1"
From: "Janky Jay, III" <jankyj@unfs.us>
To: freebsd-ports@freebsd.org
Message-ID: <07e73217-1b6c-07c6-562c-e1b0bf49cee4@unfs.us>
Subject: Re: FreeBSD Port: py27-fail2ban-0.10.1
References: <49fbc280-f598-6734-0bdb-dfd24de4fa56@gmail.com>
<nycvar.OFS.7.76.1710171440310.1189@ybpnyubfg.zl.qbznva>
<8aa48ea4-4740-539f-6bbe-0b95dba59b5c@gmail.com>
In-Reply-To: <8aa48ea4-4740-539f-6bbe-0b95dba59b5c@gmail.com>
--D6704BunhdjEdaPA45vJ3SdtQVfTkQsA4
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Hello,
In the new 0.10 version, the action rule creates the tables for you
based on the jail configuration. If you look at the jail files, you'll
see that you now call pfctl using additional arguments such as ports
that are affected and a suffix to add to the default "f2b-" table name.
So, essentially, there is no reason to create tables in the
pf.conf/pf.rules file anymore. They are automatically created when a
fail2ban filter is triggered and the IP is then added to it.
On 10/17/2017 07:16 AM, Alex V. Petrov wrote:
> In the old version I did so.
>=20
>=20
> 17.10.2017 19:47, Tommy Scheunemann =D0=BF=D0=B8=D1=88=D0=B5=D1=82:
>> Hi,
>>
>> a simple setup that does the job for me:
>>
>> In /etc/pf.conf (bge0 is my external interface)
>>
>> --- SNIP ---
>> int_ext=3D"bge0"
>> ...
>> table <blocked_hosts>
>> ...
>> block in quick on $int_ext from <badhosts> to any
>> ...
>> --- SNIP ---
>>
>> And in ${PREFIX}/fail2ban/action.d defining a new "pf" action, e.g. pf=
=2Econf
>>
>> --- SNIP ---
>> [Definition]
>> actionban =3D /usr/local/bin/drop_ban <ip>
>> actionunban =3D /usr/local/bin/drop_unban <ip>
>> actioncheck =3D
>> actionstart =3D
>> actionstop =3D
>>
>> [Init]
>> --- SNIP ---
>>
>> And the "drop_ban" and "drop_unban" scripts:
>>
>> for ban:
>>
>> --- SNIP ---
>> #!/bin/sh
>> IP=3D$1
>> /sbin/pfctl -t badhosts -T add $IP
>> --- SNIP ---
>>
>> for unban
>>
>> --- SNIP ---
>> #!/bin/sh
>> IP=3D$1
>> /sbin/pfctl -t badhosts -T del $IP
>> --- SNIP ---
>>
>> I'm using scripts instead of directly using actionban / actionunban to=
>> do some additional things like running a tcpdrop, having some better
>> logging.
>>
>> Once done with all this, you can use "action =3D pf" in your jail.conf=
file.
>>
>> Apart this I'd highly recommend to put all this into some configuratio=
n
>> system (Ansible, Puppet, Cfengine etc.).
>> Updating the package / port will overwrite your local changes !
>>
>> Have fun & good luck
>>
>> On Tue, 17 Oct 2017, Alex V. Petrov wrote:
>>
>>> Need a working sample for the new version of the port for pf.
>>>
>>> -----
>>> Alex.
>>> _______________________________________________
>>> freebsd-ports@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
>>> To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.o=
rg"
>>>
>>
>>
>=20
--D6704BunhdjEdaPA45vJ3SdtQVfTkQsA4--
--knTtftxEHdXQ63SLogxXrpgPKMajagrCO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAlnmLKAACgkQGK3MsUbJZn6JlACdGPLgC6Q98VF/xPKVD+aunNxA
jFMAn17p8mAgSHQlHCq5p+iNLIhDHuXG
=oktw
-----END PGP SIGNATURE-----
--knTtftxEHdXQ63SLogxXrpgPKMajagrCO--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?07e73217-1b6c-07c6-562c-e1b0bf49cee4>