From owner-freebsd-ports@freebsd.org Tue Oct 17 12:53:57 2017 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AFF70E39BC4 for ; Tue, 17 Oct 2017 12:53:57 +0000 (UTC) (envelope-from net@arrishq.net) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 9A00F6BC0B for ; Tue, 17 Oct 2017 12:53:57 +0000 (UTC) (envelope-from net@arrishq.net) Received: by mailman.ysv.freebsd.org (Postfix) id 994E2E39BC3; Tue, 17 Oct 2017 12:53:57 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98E6FE39BC2 for ; Tue, 17 Oct 2017 12:53:57 +0000 (UTC) (envelope-from net@arrishq.net) Received: from mail1.arrishq.net (eatmyshorts.phobos.ws [178.63.103.215]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5F5F86BC0A for ; Tue, 17 Oct 2017 12:53:56 +0000 (UTC) (envelope-from net@arrishq.net) Received: from mail.arrishq.net (mail.arrishq.net [127.0.0.1]) (Authenticated sender: local) by mail1.arrishq.net (qmail) with ESMTPSA id A57E63DE ; Tue, 17 Oct 2017 14:47:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arrishq.net; s=default; t=1508244463; bh=vUCtIhYKN8Vh1CK6srnSAEyJRjsDZPZvDbYzREqIMxg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=X+ii8x+HNWqKfCVZAshxCb3PGxvSrc+dlA+A7z4kmG1ABdCcp45JmHWFpBXPJNx1L 8XyYH0vukjyYX5+vLEFqK50reO0nwTT9in2thv6mMW4W6JSP0FcPX+Lytmy4edqP4C btR4F4ktGPc46HaoPrnt/4cqmfaTyGFEzxsJVNxw= Date: Tue, 17 Oct 2017 14:47:34 +0200 From: Tommy Scheunemann To: "Alex V. Petrov" cc: theis@gmx.at, ports@FreeBSD.org Subject: Re: FreeBSD Port: py27-fail2ban-0.10.1 In-Reply-To: <49fbc280-f598-6734-0bdb-dfd24de4fa56@gmail.com> Message-ID: References: <49fbc280-f598-6734-0bdb-dfd24de4fa56@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Oct 2017 12:53:57 -0000 Hi, a simple setup that does the job for me: In /etc/pf.conf (bge0 is my external interface) --- SNIP --- int_ext="bge0" ... table ... block in quick on $int_ext from to any ... --- SNIP --- And in ${PREFIX}/fail2ban/action.d defining a new "pf" action, e.g. pf.conf --- SNIP --- [Definition] actionban = /usr/local/bin/drop_ban actionunban = /usr/local/bin/drop_unban actioncheck = actionstart = actionstop = [Init] --- SNIP --- And the "drop_ban" and "drop_unban" scripts: for ban: --- SNIP --- #!/bin/sh IP=$1 /sbin/pfctl -t badhosts -T add $IP --- SNIP --- for unban --- SNIP --- #!/bin/sh IP=$1 /sbin/pfctl -t badhosts -T del $IP --- SNIP --- I'm using scripts instead of directly using actionban / actionunban to do some additional things like running a tcpdrop, having some better logging. Once done with all this, you can use "action = pf" in your jail.conf file. Apart this I'd highly recommend to put all this into some configuration system (Ansible, Puppet, Cfengine etc.). Updating the package / port will overwrite your local changes ! Have fun & good luck On Tue, 17 Oct 2017, Alex V. Petrov wrote: > Need a working sample for the new version of the port for pf. > > ----- > Alex. > _______________________________________________ > freebsd-ports@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd.org" >