From nobody Tue Oct 4 21:02:58 2022 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mhqsy0KvLz4dj27; Tue, 4 Oct 2022 21:03:02 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mhqsx19bnz3H5Z; Tue, 4 Oct 2022 21:03:01 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTP id fjcPo2yz4S8Wrfp48oPPU4; Tue, 04 Oct 2022 21:03:00 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id fp46oadKHg786fp47o1C1a; Tue, 04 Oct 2022 21:03:00 +0000 X-Authority-Analysis: v=2.4 cv=a94jSGeF c=1 sm=1 tr=0 ts=633c9f84 a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=kj9zAlcOel0A:10 a=Qawa6l4ZSaYA:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=7HMm6IPiDFB6lSemt1QA:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 5043F26D; Tue, 4 Oct 2022 14:02:58 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 49400BB; Tue, 4 Oct 2022 14:02:58 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Cy Schubert cc: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: Re: git: d0fcbc6c271f - main - security/py-fail2ban: Add ipfilter ippool action In-reply-to: <202210041513.294FD2Tb059511@gitrepo.freebsd.org> References: <202210041513.294FD2Tb059511@gitrepo.freebsd.org> Comments: In-reply-to Cy Schubert message dated "Tue, 04 Oct 2022 15:13:02 +0000." List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 04 Oct 2022 14:02:58 -0700 Message-Id: <20221004210258.49400BB@slippy.cwsent.com> X-CMAE-Envelope: MS4xfD+0Ek9v1QAX4RneUEAlj6kfwbnDS2fg6nMtaoPhF4JtHn9r2EQDHf399ya2VX8r822siDRb3eUBdJ54zpQBzbh4NJ9CYxEenozSfBKgMjQAhMeqgi2V pmeCaEcQGtUTdMaOqbT6Kgm8nJDNV17zP5I9+N0hijB2Dufn8tQJAqn2Ix/7TYztz3iX6bb22PMDGg3T1D/unrAHRwhlLBk5mFp5hUi3kOXY0/Cu4Ol1a7MZ /N7R+chwR+Aiw9Bp+rWONIv5n6kMZGrVTbDx3twoH/OAT9/pmaxkQgvDFiumwX5YEGpl/obowdNvTaugbduP1aAkw5NkQdgsmsHTWCROuFo= X-Rspamd-Queue-Id: 4Mhqsx19bnz3H5Z X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 3.97.99.32) smtp.mailfrom=cy.schubert@cschubert.com X-Spamd-Result: default: False [-1.80 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MV_CASE(0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[3.97.99.32:from]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[dev-commits-ports-all@freebsd.org,dev-commits-ports-main@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DMARC_NA(0.00)[cschubert.com: no valid DMARC record]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N In message <202210041513.294FD2Tb059511@gitrepo.freebsd.org>, Cy Schubert write s: > The branch main has been updated by cy: > > URL: https://cgit.FreeBSD.org/ports/commit/?id=d0fcbc6c271fe89343642260f36bb5 > 842177f75d > > commit d0fcbc6c271fe89343642260f36bb5842177f75d > Author: Cy Schubert > AuthorDate: 2022-10-04 14:55:17 +0000 > Commit: Cy Schubert > CommitDate: 2022-10-04 15:06:21 +0000 > > security/py-fail2ban: Add ipfilter ippool action > > Rather than add a block rule for each banned IP, add a blanket block rule > that references an ipfilter ippool named fail2ban. Maintain the IPs in > the ippool reducing the need to search a large list of rules. An ipfilter > tree pool is used. > --- > security/py-fail2ban/Makefile | 2 +- > .../files/patch-config_action.d_ippool.conf | 58 ++++++++++++++++++++ > ++ > 2 files changed, 59 insertions(+), 1 deletion(-) > > diff --git a/security/py-fail2ban/Makefile b/security/py-fail2ban/Makefile > index f292316824ee..77cada9444c0 100644 > --- a/security/py-fail2ban/Makefile > +++ b/security/py-fail2ban/Makefile > @@ -1,6 +1,6 @@ > PORTNAME= fail2ban > DISTVERSION= 1.0.1 > -PORTREVISION= 1 > +PORTREVISION= 2 > CATEGORIES= security python > PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} > > diff --git a/security/py-fail2ban/files/patch-config_action.d_ippool.conf b/s > ecurity/py-fail2ban/files/patch-config_action.d_ippool.conf > new file mode 100644 > index 000000000000..74857fd6caac > --- /dev/null > +++ b/security/py-fail2ban/files/patch-config_action.d_ippool.conf > @@ -0,0 +1,58 @@ > +--- config/action.d/ippool.conf.orig 2022-10-04 07:49:51.467484000 -0700 > ++++ config/action.d/ippool.conf 2022-10-04 07:49:54.523077000 -0700 > +@@ -0,0 +1,55 @@ > ++# Fail2Ban configuration file > ++# > ++# FreeBSD ipfilter (ippool command) ban/unban > ++# > ++# Author: Cy Schubert > ++# > ++# > ++ > ++[Definition] > ++ > ++# Option: actionstart > ++# Notes.: command executed on demand at the first ban (or at the start of > Fail2Ban if actionstart_on_demand is set to false). > ++# Values: CMD > ++# > ++# enable IPF if not already enabled and initialize fail2ban pool > ++actionstart = /sbin/ipf -E > ++ /sbin/ippool -A -t tree -m fail2ban > ++ echo block in log quick from pool/fail2ban to any | /sbin/ipf > -f - > ++ > ++# Option: actionstop > ++# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) > ++# Values: CMD > ++# > ++# don't disable IPF with "/sbin/ipf -D", there may be other filters in use > ++actionstop = echo block in log quick from pool/fail2ban to any | /sbin/ipf > -r -f - > ++ /sbin/ippool -R -t tree -m fail2ban > ++ > ++ > ++# Option: actioncheck > ++# Notes.: command executed once before each actionban command > ++# Values: CMD > ++# > ++actioncheck = > ++ > ++ > ++# Option: actionban > ++# Notes.: command executed when banning an IP. Take care that the > ++# command is executed with Fail2Ban user rights. > ++# Tags: See jail.conf(5) man page > ++# Values: CMD > ++# > ++actionban = ippool -a -t tree -m fail2ban /32 > ++ > ++ > ++# Option: actionunban > ++# Notes.: command executed when unbanning an IP. Take care that the > ++# command is executed with Fail2Ban user rights. > ++# Tags: See jail.conf(5) man page > ++# Values: CMD > ++# > ++# note -r option used to remove matching rule > ++# actionunban = ippool -r -t tree -m fail2ban /32 > ++ > ++[Init] > ++ > Just as the other actions, like ipfilter, ipfw, pf, iptables, etc., placement of the rules the ippool action uses within the larger picture is as important important as the rule itself. This of course cannot be done strictly through a dumb script. Ideally one would remove actionstop and actionstart, manually place a new rule before any other rules which allow general access to service, but after any "safety valve" rules -- you don't want to lock yourself out. This offers better protection in a custom environment. But in an environment which is entirely open, this default will work. This will be pushed up to our upstream. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0