Solved PF permission for table file

Hello,

I have the following line in my /etc/pf.conf file
Code:
table <BLOCKTEMP> counters file "/etc/pf-files/fail2ban.pftable"

At the server console, I can see lots of failed login for ssh but the fail2ban.pftable file is blank...

Could you please tell me if the following file permision are correct?
Code:
drwxr-xr-x  2 root  wheel  5 Jan  1 20:58 pf-files/
-rw-r--r--    1 root  wheel  0 Jan  1 19:42 fail2ban.pftable

Thank you
Fred
 
Contrary to what you might think the table is only read from the file /etc/pf-files/fail2ban.pftable. Nothing is ever written to it.
 
Ha, I see...

So if I understood the above correctly the problem is with fail2ban not writting to the file and not PF..

Is that correct?
 
I don't think fail2ban actually writes to any file (besides its own logging). As far as I know it simply adds IP addresses to the table dynamically ( pfctl -Tadd -t tablename 1.2.3.4), and the table needs to have a specific name. But it's been a while since I last used it.

Check with pfctl -Tshow -t BLOCKTEMP and check if fail2ban actually expects the table to be named "BLOCKTEMP".
 
Hi junovitch@
So from what you said, having the /etc/pf-files/fail2ban.pftable" is pointless. Is that right?
How do tell fail2ban that the pf table to write to is call BLOCKTEMP?
 
Ok I have done more reading on this and I still have 2 questions if you don't mind me asking..
1: When I rename jail.conf to jail.local, do I only write what I want to overwrite?
For example, if my jail.local ONLY has
Code:
[DEFAULT]
backend         = auto
bantime         = -1  ; permanent ban
findtime        = 604800  ; 1 week aggregation
maxretry        = 5
destemail       = webmaster@me.com
ignoreip        = 127.0.0.1/8 88.31.34.173 253.186.159.254
logtargets      = /var/log/fail2ban.log
Will it still load the other stuff from the jail.conf eg:
Code:
#
# HTTP servers
#

[apache-auth]

port     = http,https
logpath  = %(apache_error_log)s


[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 172800
maxretry = 1
Or will these setting be lost?

2: When you restart the fail2ban service fail2ban clears the chain for the filter and parses the current log for matches, not the rotated logs. So you don't ban any IPs that were banned before logrotate rotated the old log.

Will adding the following solve this problem?
/actions.d/pf.local
Code:
actionban = /sbin/pfctl -t fail2ban -T add <ip>/32 && /sbin/pfctl -k <ip> echo <ip> >> /etc/pf-files/fail2ban.pftable
 
Last edited by a moderator:
I've mark the post as resolved as it is no longer a pf(4) issue.
I'll open a new thread on correct part of forum
 
Last edited by a moderator:
Back
Top