View file File name : pf.conf Content :# Fail2Ban configuration file # # OpenBSD pf ban/unban # # Author: Nick Hilliard <nick@foobar.org> # Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6 # # [Definition] # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # # we don't enable PF automatically; to enable run pfctl -e # or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD) # also, these rulesets are loaded into (nested) anchors # to enable them, add as wildcard: # anchor "f2b/*" # or using jail names: # anchor f2b { # anchor name1 # anchor name2 # ... # } # to your main pf ruleset, where "namei" are the names of the jails # which invoke this action actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f- port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f- # Option: start_on_demand - to start action on demand # Example: `action=pf[actionstart_on_demand=true]` actionstart_on_demand = false # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # # we only disable PF rules we've installed prior actionstop = <pfctl> -sr 2>/dev/null | grep -v <tablename>-<name> | <pfctl> -f- %(actionflush)s <pfctl> -t <tablename>-<name> -T kill # Option: actionflush # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) # Values: CMD # actionflush = <pfctl> -t <tablename>-<name> -T flush # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = <pfctl> -sr | grep -q <tablename>-<name> # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = <pfctl> -t <tablename>-<name> -T add <ip> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # # note -r option used to remove matching rule actionunban = <pfctl> -t <tablename>-<name> -T delete <ip> # Option: pfctl # # Use anchor as jailname to manipulate affected rulesets only. # If more parameter expected it can be extended with `pf[pfctl="<known/pfctl> ..."]` # pfctl = pfctl -a f2b/<name> [Init] # Option: tablename # Notes.: The pf table name. # Values: [ STRING ] # tablename = f2b # Option: block # # The action you want pf to take. # Probably, you want "block quick", but adjust as needed. block = block quick # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp # protocol = tcp # Option: actiontype # Notes.: defines additions to the blocking rule # Values: leave empty to block all attempts from the host # Default: Value of the multiport actiontype = <multiport> # Option: allports # Notes.: default addition to block all ports # Usage.: use in jail config: "banaction = pf[actiontype=<allports>]" allports = any # Option: multiport # Notes.: addition to block access only to specific ports # Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]" multiport = any port $port