You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
+# Further modified by: Zane C. Bowers-Hadley [email protected] to make it kill states for a IP so the
+# ban takes affect as well as not handling multiple protocols.
+
+# WARNING WARNING WARNING WARNING WARNING
+# WARNING WARNING WARNING WARNING WARNING
+# WARNING WARNING WARNING WARNING WARNING
+#
+# This will kill any state for a banned IP. This will ensure the ban actually takes affect.
+# This is need as pf has both the strenght and weakness that changes won't affect current
+# states till it is forced to, but unfortunately the only way to make that take affect is
+# to kil them.
+#
+# If some one wishes to fix that, this will requiring writing a tool to grab the session
+# id for the item in question from 'pfctl -s state -vv'.
+#
+# This is especially important for stateless procols such as UDP as well as TCP protocols
+# that are capable of processing multiple requests in a single session, such as HTTP2.
+#
+# If you wish to disable this, you need to set no_kill=true with an action.
+#
+# Example..
+# The above will mean if some one hits the limit for dovecot, it won't automatically kill their
+# active states, such as maybe SSH.
+#
+# Where would be doing this be bad? Lets say you have a service using UDP. The attacker can keep it
+# up indefinitely as long they don't let up as UDP is stateless. Similarly with HTTP2, a attacker
+# can keep it going till the web server kills or they finish doing what ever they are doing. This is
+# especially true for a rule that triggers based on attempted data exfiltration.
+#
+# Basially you have the choice of maybe a potetional moment annoyance of having to restart a SSH
+# session or the like or potiential compromise as the pf table change was never allowed to take affect
+# as the states for that IP were never cleared.
[Definition]
@@ -13,7 +49,7 @@
Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
Values: CMD
-# we don't enable PF automatically; to enable run pfctl -e
+# we don't enable PF automatically; to enable run pfctl -e
or add pf_enable="YES" to /etc/rc.conf (tested on FreeBSD)
also, these rulesets are loaded into (nested) anchors
to enable them, add as wildcard:
@@ -66,8 +102,7 @@ actioncheck = -sr | grep -q -
unix timestamp of the ban time
Values: CMD
-actionban = -t - -T add
+actionban = -t - -T add ; if [ "<no_kill>" != "true" ]; then pfctl -k ; fi
Option: actionunban
Notes.: command executed when unbanning an IP. Take care that the
@@ -84,7 +119,7 @@ actionunban = -t - -T delete
Use anchor as jailname to manipulate affected rulesets only.
If more parameter expected it can be extended with pf[pfctl="<known/pfctl> ..."]
-#
+#
pfctl = pfctl -a f2b/
[Init]
@@ -104,6 +139,10 @@ block = block quick
Notes.: internally used by config reader for interpolations.
+# If set to "{ tcp, udp, icmp, ipv6-icmp }", all protocols will be
+# taken care of. Similarly combination of protocols may be handled
+# in a similar manner.
+#
protocol = tcp
Option: actiontype
@@ -121,4 +160,3 @@ allports = any
Notes.: addition to block access only to specific ports
Usage.: use in jail config: "banaction = pf[actiontype=]"
multiport = any port $port
The text was updated successfully, but these errors were encountered:
diff --git a/config/action.d/pf.conf b/config/action.d/pf.conf
index 933b4de014..e5a5d7652f 100644
--- a/config/action.d/pf.conf
+++ b/config/action.d/pf.conf
@@ -4,8 +4,44 @@
Author: Nick Hilliard [email protected]
Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
+# Further modified by: Zane C. Bowers-Hadley [email protected] to make it kill states for a IP so the
+# ban takes affect as well as not handling multiple protocols.
+
+# WARNING WARNING WARNING WARNING WARNING
+# WARNING WARNING WARNING WARNING WARNING
+# WARNING WARNING WARNING WARNING WARNING
+#
+# This will kill any state for a banned IP. This will ensure the ban actually takes affect.
+# This is need as pf has both the strenght and weakness that changes won't affect current
+# states till it is forced to, but unfortunately the only way to make that take affect is
+# to kil them.
+#
+# If some one wishes to fix that, this will requiring writing a tool to grab the session
+# id for the item in question from 'pfctl -s state -vv'.
+#
+# This is especially important for stateless procols such as UDP as well as TCP protocols
+# that are capable of processing multiple requests in a single session, such as HTTP2.
+#
+# If you wish to disable this, you need to set no_kill=true with an action.
+#
+# Example..
+# [dovecot]
+# enabled = true
+# filter = dovecot
+# action = pf[actiontype=,no_kill="true"]
+# The above will mean if some one hits the limit for dovecot, it won't automatically kill their
+# active states, such as maybe SSH.
+#
+# Where would be doing this be bad? Lets say you have a service using UDP. The attacker can keep it
+# up indefinitely as long they don't let up as UDP is stateless. Similarly with HTTP2, a attacker
+# can keep it going till the web server kills or they finish doing what ever they are doing. This is
+# especially true for a rule that triggers based on attempted data exfiltration.
+#
+# Basially you have the choice of maybe a potetional moment annoyance of having to restart a SSH
+# session or the like or potiential compromise as the pf table change was never allowed to take affect
+# as the states for that IP were never cleared.
[Definition]
@@ -13,7 +49,7 @@
Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
Values: CMD
-# we don't enable PF automatically; to enable run pfctl -e
+# we don't enable PF automatically; to enable run pfctl -e
or add
pf_enable="YES"
to /etc/rc.conf (tested on FreeBSD)also, these rulesets are loaded into (nested) anchors
to enable them, add as wildcard:
@@ -66,8 +102,7 @@ actioncheck = -sr | grep -q -
unix timestamp of the ban time
Values: CMD
-actionban = -t - -T add
+actionban = -t - -T add ; if [ "<no_kill>" != "true" ]; then pfctl -k ; fi
Option: actionunban
Notes.: command executed when unbanning an IP. Take care that the
@@ -84,7 +119,7 @@ actionunban = -t - -T delete
Use anchor as jailname to manipulate affected rulesets only.
If more parameter expected it can be extended with
pf[pfctl="<known/pfctl> ..."]
-#
+#
pfctl = pfctl -a f2b/
[Init]
@@ -104,6 +139,10 @@ block = block quick
Notes.: internally used by config reader for interpolations.
Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
+# If set to "{ tcp, udp, icmp, ipv6-icmp }", all protocols will be
+# taken care of. Similarly combination of protocols may be handled
+# in a similar manner.
+#
protocol = tcp
Option: actiontype
@@ -121,4 +160,3 @@ allports = any
Notes.: addition to block access only to specific ports
Usage.: use in jail config: "banaction = pf[actiontype=]"
multiport = any port $port
The text was updated successfully, but these errors were encountered: