Date: Tue, 4 Oct 2022 15:13:02 GMT From: Cy Schubert <cy@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: d0fcbc6c271f - main - security/py-fail2ban: Add ipfilter ippool action Message-ID: <202210041513.294FD2Tb059511@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/ports/commit/?id=d0fcbc6c271fe89343642260f36bb5842177f75d commit d0fcbc6c271fe89343642260f36bb5842177f75d Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2022-10-04 14:55:17 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2022-10-04 15:06:21 +0000 security/py-fail2ban: Add ipfilter ippool action Rather than add a block rule for each banned IP, add a blanket block rule that references an ipfilter ippool named fail2ban. Maintain the IPs in the ippool reducing the need to search a large list of rules. An ipfilter tree pool is used. --- security/py-fail2ban/Makefile | 2 +- .../files/patch-config_action.d_ippool.conf | 58 ++++++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile index f292316824ee..77cada9444c0 100644 --- a/security/py-fail2ban/Makefile +++ b/security/py-fail2ban/Makefile @@ -1,6 +1,6 @@ PORTNAME= fail2ban DISTVERSION= 1.0.1 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security python PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} diff --git a/security/py-fail2ban/files/patch-config_action.d_ippool.conf b/security/py-fail2ban/files/patch-config_action.d_ippool.conf new file mode 100644 index 000000000000..74857fd6caac --- /dev/null +++ b/security/py-fail2ban/files/patch-config_action.d_ippool.conf @@ -0,0 +1,58 @@ +--- config/action.d/ippool.conf.orig 2022-10-04 07:49:51.467484000 -0700 ++++ config/action.d/ippool.conf 2022-10-04 07:49:54.523077000 -0700 +@@ -0,0 +1,55 @@ ++# Fail2Ban configuration file ++# ++# FreeBSD ipfilter (ippool command) ban/unban ++# ++# Author: Cy Schubert <cy@FreeBSD.org> ++# ++# ++ ++[Definition] ++ ++# Option: actionstart ++# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). ++# Values: CMD ++# ++# enable IPF if not already enabled and initialize fail2ban pool ++actionstart = /sbin/ipf -E ++ /sbin/ippool -A -t tree -m fail2ban ++ echo block in log quick from pool/fail2ban to any | /sbin/ipf -f - ++ ++# Option: actionstop ++# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) ++# Values: CMD ++# ++# don't disable IPF with "/sbin/ipf -D", there may be other filters in use ++actionstop = echo block in log quick from pool/fail2ban to any | /sbin/ipf -r -f - ++ /sbin/ippool -R -t tree -m fail2ban ++ ++ ++# Option: actioncheck ++# Notes.: command executed once before each actionban command ++# Values: CMD ++# ++actioncheck = ++ ++ ++# Option: actionban ++# Notes.: command executed when banning an IP. Take care that the ++# command is executed with Fail2Ban user rights. ++# Tags: See jail.conf(5) man page ++# Values: CMD ++# ++actionban = ippool -a -t tree -m fail2ban <ip>/32 ++ ++ ++# Option: actionunban ++# Notes.: command executed when unbanning an IP. Take care that the ++# command is executed with Fail2Ban user rights. ++# Tags: See jail.conf(5) man page ++# Values: CMD ++# ++# note -r option used to remove matching rule ++# actionunban = ippool -r -t tree -m fail2ban <ip>/32 ++ ++[Init] ++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202210041513.294FD2Tb059511>