Date: Wed, 12 Jun 2013 15:53:36 +0300 (EEST) From: Sayetsky Anton <vsjcfm@gmail.com> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/179512: [patch] security/py-fail2ban: remove PF config patch, clean-up IPFW config patch Message-ID: <201306121253.r5CCraRm081407@jw.lds.net.ua> Resent-Message-ID: <201306121300.r5CD01Jd008334@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 179512 >Category: ports >Synopsis: [patch] security/py-fail2ban: remove PF config patch, clean-up IPFW config patch >Confidential: no >Severity: non-critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jun 12 13:00:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Sayetsky Anton >Release: FreeBSD 9.1-RELEASE-p3 amd64 >Organization: >Environment: System: FreeBSD jw.local 9.1-RELEASE-p3 FreeBSD 9.1-RELEASE-p3 #0 r250095: Tue Apr 30 12:25:23 EEST 2013 root@jw.local:/usr/obj/media/dvlfiles/build/src/sys/JASONW amd64 >Description: After updating fail2ban to latest version, I've found two things: 1. Action file for PF already present in dist, so we don't need it anymore in ports tree. 2. Action file for IPFW now contains "actionstart" (creating blocking rule) & "actionstop" (deleting blocking rule). I think that's incorrect because in this setup number of blocking rule is determined by fail2bam itself. I think that blocking rule must add firewall administrator only. >How-To-Repeat: >Fix: Patch attached with submission follows: --- patch.txt begins here --- Index: Makefile =================================================================== --- Makefile (revision 320663) +++ Makefile (working copy) @@ -3,6 +3,7 @@ PORTNAME= fail2ban PORTVERSION= 0.8.9 +PORTREVISION= 1 CATEGORIES= security python MASTER_SITES= https://github.com/${PORTNAME}/${PORTNAME}/tarball/${PORTVERSION}/ PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} Index: files/patch-bsd-ipfw.conf =================================================================== --- files/patch-bsd-ipfw.conf (revision 320663) +++ files/patch-bsd-ipfw.conf (working copy) @@ -1,75 +1,46 @@ ---- /dev/null 2012-11-27 18:04:17.000000000 +0100 -+++ config/action.d/bsd-ipfw.conf 2012-11-27 18:06:29.000000000 +0100 -@@ -0,0 +1,72 @@ -+# Fail2Ban configuration file -+# -+# Author: Nick Munger -+# Modified by: Ken Menzel -+# -+ -+[Definition] -+ -+# Option: actionstart -+# Notes.: command executed once at the start of Fail2Ban. -+# Values: CMD -+# -+actionstart = -+ -+ -+# Option: actionstop -+# Notes.: command executed once at the end of Fail2Ban -+# Values: CMD -+# -+actionstop = -+ -+ -+# Option: actioncheck -+# Notes.: command executed once before each actionban command -+# Values: CMD -+# -+actioncheck = -+ -+ -+# Option: actionban -+# Notes.: command executed when banning an IP. Take care that the -+# command is executed with Fail2Ban user rights. -+# Tags: <ip> IP address -+# <failures> number of failures -+# <time> unix timestamp of the ban time -+# <table> ipfw table to use -+# Values: CMD -+# -+# requires an ipfw rule like "deny ip from table(1) to me" -+actionban = ipfw table <table> add <ip> -+ -+ -+# Option: actionunban -+# Notes.: command executed when unbanning an IP. Take care that the -+# command is executed with Fail2Ban user rights. -+# Tags: <ip> IP address -+# <failures> number of failures -+# <time> unix timestamp of the ban time -+# <table> ipfw table to use -+# Values: CMD -+# -+actionunban = ipfw table <table> delete <ip> -+ -+[Init] -+ -+# Option: port -+# Notes.: specifies port to monitor -+# Values: [ NUM | STRING ] -+# -+#port = ssh -+port = ftp -+ -+# Option: localhost -+# Notes.: the local IP address of the network interface -+# Values: IP -+# -+localhost = 127.0.0.1 -+ -+# Option: table -+# Notes: the ipfw table to use -+# Values: NUM -+table = 1 +--- ./config/action.d/bsd-ipfw.conf.orig 2013-06-12 15:43:23.000000000 +0300 ++++ ./config/action.d/bsd-ipfw.conf 2013-06-12 15:44:42.000000000 +0300 +@@ -14,14 +14,14 @@ + # Notes.: command executed once at the start of Fail2Ban. + # Values: CMD + # +-actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num deny <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" ) ++#actionstart = ipfw show | fgrep -q 'table(<table>)' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e <br> else exit b }'; num=$?; ipfw -q add $num deny <block> from table\(<table>\) to me <port>; echo $num > "<startstatefile>" ) + + + # Option: actionstop + # Notes.: command executed once at the end of Fail2Ban + # Values: CMD + # +-actionstop = [ -f <startstatefile> ] && ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" ) ++#actionstop = [ -f <startstatefile> ] && ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" ) + + + # Option: actioncheck +@@ -61,22 +61,22 @@ + # Notes.: Specifies port to monitor. Blank indicate block all ports. + # Values: [ NUM | STRING ] + # +-port = ++#port = + + # Option: startstatefile + # Notes: A file to indicate that the table rule that was added. Ensure it is unique per table. + # Values: STRING +-startstatefile = /var/run/fail2ban/ipfw-started-table_<table> ++#startstatefile = /var/run/fail2ban/ipfw-started-table_<table> + + # Option: action + # Notes: This is the action to take for automaticly created rules. See the + # ACTION defination at the top of man ipfw for allowed values. + # "deny" and "unreach port" are probably the useful. + # Values: STRING +-action = deny ++#action = deny + + # Option: block + # Notes: This is how much to block. + # Can be "ip", "tcp", "udp" or various other options. + # Values: STRING +-block = ip ++#block = ip Index: files/patch-pf.conf =================================================================== --- files/patch-pf.conf (revision 320663) +++ files/patch-pf.conf (working copy) @@ -1,59 +0,0 @@ ---- /dev/null 2010-01-12 16:33:00.000000000 -0500 -+++ ./config/action.d/pf.conf 2010-01-12 16:26:51.000000000 -0500 -@@ -0,0 +1,56 @@ -+# Fail2Ban configuration file -+# -+# OpenBSD pf ban/unban -+# -+# Author: Nick Hilliard <nick@foobar.org> -+# -+# -+ -+[Definition] -+ -+# Option: actionstart -+# Notes.: command executed once at the start of Fail2Ban. -+# Values: CMD -+# -+# we don't enable PF automatically, as it will be enabled elsewhere -+actionstart = -+ -+ -+# Option: actionstop -+# Notes.: command executed once at the end of Fail2Ban -+# Values: CMD -+# -+# we don't disable PF automatically either -+actionstop = -+ -+ -+# Option: actioncheck -+# Notes.: command executed once before each actionban command -+# Values: CMD -+# -+actioncheck = -+ -+ -+# Option: actionban -+# Notes.: command executed when banning an IP. Take care that the -+# command is executed with Fail2Ban user rights. -+# Tags: <ip> IP address -+# <failures> number of failures -+# <time> unix timestamp of the ban time -+# Values: CMD -+# -+actionban = /sbin/pfctl -t fail2ban -T add <ip>/32 -+ -+ -+# Option: actionunban -+# Notes.: command executed when unbanning an IP. Take care that the -+# command is executed with Fail2Ban user rights. -+# Tags: <ip> IP address -+# <failures> number of failures -+# <time> unix timestamp of the ban time -+# Values: CMD -+# -+# note -r option used to remove matching rule -+actionunban = /sbin/pfctl -t fail2ban -T delete <ip>/32 -+ -+[Init] --- patch.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306121253.r5CCraRm081407>