• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

PF Communication between fail2ban and pf fails

Leonard

New Member


Messages: 3

#1
EDIT: the problem is solved

Hello,

i had used Debian at the last several years and i'm very new to FreeBSD.

I tryed to port my configuration for fail2ban from my Debian machines to FreeBSD (with the modification due the firewall has changed).

In my testing phase i have found out that the recognition works fine as under debian. My IP is under the fail2ban's internal banlist marked (`fail2ban-client status ssh` shows my IP as "currently banned").
The problem is, that i'm still not banned by pf. When i try to ban myself via `/sbin/pfctl -t fail2ban -T add <ip>` it is working fine - pf will add me to my fail2ban table (connections will be refused).
I dont understand why it won't work..

My /usr/local/etc/fail2ban/jail.local configuration is:
Code:
[DEFAULT]

ignoreip = 127.0.0.1/8

# if 10 failures per 6 hours then ban the ip for 24 hours - that seems legit for me, i am the only sysadmin who can access to this systems
# i have in emergency cases every time access to this machines via vnc over my hostsystem
bantime  = 86400
findtime = 21600
maxretry = 10

backend = auto
usedns = warn

#banaction = iptables-multiport # ported from my debian configuration - inactive
protocol = tcp
chain = INPUT


# ported from my debian configuration - inactive
#action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
#protocol="%(protocol)s", chain="%(chain)s"]
#action = %(action_)s


actionban=/sbin/pfctl -t fail2ban -T add <ip>
actionunban=/sbin/pfctl -t fail2ban -T delete <ip>


[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
And my /etc/pf.conf is
Code:
# Bezeichnung vom Netzwerkinterface
ext_if="em0"

# erlaubt nur bestimmte Typen von ICMP requests
#icmp_types = "{echoreq, unreach}"
icmp_types = "echoreq"

# Blockiere alles was rein kommt
block in all

# gibt connection refused an den client zurueck anstelle ihn bis zum timeout (vom clientsystem festgelegt) warten zu lassen
block return

# aktiviert den IP spoofing Schutz fuer alle interfaces
block in quick from urpf-failed

# wendet Blockierungsmethoden an gegen IP spoofing fuers angegebene Netzwerkinterface oben
antispoof log for $ext_if


# erlaubt es, dass der server heraustelefonieren darf zb um sich updates zu holen; er darf egal mit welchem Proto hintelefonieren wohin er will
# CHANGEME wird spaeter weiter eingeschraenkt
pass out keep state

# so sieht generell eine Freigaberegel aus - hier fuer ssh
pass in quick on $ext_if inet proto tcp from any to $ext_if port 22

# icmp Freigabe eingehend
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state



#testabteilung

table <blockedips> persist file "/etc/pf.blocked.ip.conf"
block in quick on $ext_if from <blockedips> to any

table <fail2ban> persist
block in quick on $ext_if from <fail2ban> to any
My /etc/rc.conf is:
Code:
hostname="censored"
keymap="german.iso.kbd"
ifconfig_em0="inet censored netmask 0xfffffff0"
defaultrouter="censored"
ntpd_enable="YES"
dumpdev="AUTO"
#sshd_enable=TRUE #temporary disabled until the fail2ban firewall problem is solved
pf_enable="YES"
fail2ban_enable=TRUE
I'm sorry for my bad english (and the german comments.. just ignore them!).. :)


Thanks in advance!
 
Last edited:

Leonard

New Member


Messages: 3

#3
Set banaction to pf.
i have tried the sample configuration of /usr/local/etc/fail2ban/jail.local from
with the recommended banaction.

I had restartet the fail2ban service but i have still the same problem.
fail2ban says to me that i'm banned (via `fail2ban-client status sshd`) but `pfctl -t fail2ban -T show` shows me nothing and i'm still able to connect to the server.

My /usr/local/etc/fail2ban/action.d/pf.conf config is the following:
Code:
# Fail2Ban configuration file
#
# OpenBSD pf ban/unban
#
# Author: Nick Hilliard <nick@foobar.org>
# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
#
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
# we don't enable PF automatically; to enable run pfctl -e
# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
# also, these rulesets are loaded into (nested) anchors
# to enable them, add
#     anchor f2b {
#        anchor name1
#        anchor name2
#        ...
#     }
# to your main pf ruleset, where "namei" are the names of the jails
# which invoke this action
actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f-
              echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-

# Option:  start_on_demand - to start action on demand
# Example: `action=pf[actionstart_on_demand=true]`
actionstart_on_demand = false

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
# we only disable PF rules we've installed prior
actionstop = <pfctl> -sr 2>/dev/null | grep -v <tablename>-<name> | <pfctl> -f-
             <pfctl> -t <tablename>-<name> -T flush
             <pfctl> -t <tablename>-<name> -T kill


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <pfctl> -sr | grep -q <tablename>-<name>


# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
#
actionban = <pfctl> -t <tablename>-<name> -T add <ip>


# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
# note -r option used to remove matching rule
actionunban = <pfctl> -t <tablename>-<name> -T delete <ip>

# Option: pfctl
#
# Use anchor as jailname to manipulate affected rulesets only.
# If more parameter expected it can be extended with `pf[pfctl="<known/pfctl> ..."]`
#
#pfctl = pfctl -a f2b/<name>
pfctl = pfctl -a fail2ban

[Init]
# Option:  tablename
# Notes.:  The pf table name.
# Values:  [ STRING ]
#
#tablename = f2b
tablename = fail2ban

# Option: block
#
# The action you want pf to take.
# Probably, you want "block quick", but adjust as needed.
block = block quick

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
#
protocol = tcp

# Option: actiontype
# Notes.: defines additions to the blocking rule
# Values: leave empty to block all attempts from the host
# Default: Value of the multiport
actiontype = <multiport>

# Option: allports
# Notes.: default addition to block all ports
# Usage.: use in jail config: "banaction = pf[actiontype=<allports>]"
allports = any

# Option: multiport
# Notes.: addition to block access only to specific ports
# Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
multiport = any port {<port>}
For pfctl i had tried {"pfctl -a f2b/<name>" (default value! creepy but okay), "pfctl -a f2b", "pfctl -a fail2ban"} and for tablename {"f2b", "fail2ban"} - separately, one after another.


In my opinion are the following lines interesting. Are they correctly?
Code:
actionban = <pfctl> -t <tablename>-<name> -T add <ip>
actionunban = <pfctl> -t <tablename>-<name> -T delete <ip>
#pfctl = pfctl -a f2b/<name>
 

T. Braun

New Member

Thanks: 2
Messages: 4

#5
Hi Leonard,

I'm seeing exactly the same problem - would you mind telling how you solved the problem on your side? Maybe I'm having the same error.

Regards,
Tobias
 
Top