Subversion Repositories configs

# Fail2Ban configuration file

#

# Author: Daniel Black

# Author: Cyril Jaquier

# Modified: Yaroslav O. Halchenko <debian@onerussian.com>

# 			made active on all ports from original iptables.conf

# Modified: Alexander Belykh <albel727@ngs.ru>

#                       adapted for nftables

#

# This is a included configuration file and includes the definitions for the nftables

# used in all nftables based actions by default.

#

# The user can override the defaults in nftables-common.local

[INCLUDES]

after = nftables-common.local

[Definition]

# Option:  nftables_mode

# Notes.:  additional expressions for nftables filter rule

# Values:  nftables expressions

#

nftables_mode = <protocol> dport \{ <port> \}

# Option:  actionstart

# Notes.:  command executed once at the start of Fail2Ban.

# Values:  CMD

#

actionstart = <nftables> add set <nftables_family> <nftables_table> f2b-<name> \{ type <nftables_type>\; \}

              <nftables> insert rule <nftables_family> <nftables_table> <chain> %(nftables_mode)s ip saddr @f2b-<name> <blocktype>

_nft_list = <nftables> --handle --numeric list chain <nftables_family> <nftables_table> <chain>

_nft_get_handle_id = grep -m1 'ip saddr @f2b-<name> <blocktype> # handle' | grep -oe ' handle [0-9]*'

# Option:  actionstop

# Notes.:  command executed once at the end of Fail2Ban

# Values:  CMD

#

actionstop = HANDLE_ID=$(%(_nft_list)s | %(_nft_get_handle_id)s)

             <nftables> delete rule <nftables_family> <nftables_table> <chain> $HANDLE_ID

             <nftables> delete set <nftables_family> <nftables_table> f2b-<name>

# Option:  actioncheck

# Notes.:  command executed once before each actionban command

# Values:  CMD

#

actioncheck = <nftables> list chain <nftables_family> <nftables_table> <chain> | grep -q '@f2b-<name>[ \t]'

# Option:  actionban

# Notes.:  command executed when banning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionban = <nftables> add element <nftables_family> <nftables_table> f2b-<name> \{ <ip> \}

# Option:  actionunban

# Notes.:  command executed when unbanning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionunban = <nftables> delete element <nftables_family> <nftables_table> f2b-<name> \{ <ip> \}

[Init]

# Option:  nftables_type

# Notes.:  address type to work with

# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr

#

nftables_type = ipv4_addr

# Option:  nftables_family

# Notes.:  address family to work in

# Values:  [ip | ip6 | inet]  Default: inet

#

nftables_family = inet

# Option:  nftables_table

# Notes.:  table in the address family to work in

# Values:  STRING  Default: filter

#

nftables_table = filter

# Option:  chain

# Notes    specifies the nftables chain to which the Fail2Ban rules should be

#          added

# Values:  STRING  Default: input

chain = input

# Default name of the filtering set

#

name = default

# Option:  port

# Notes.:  specifies port to monitor

# Values:  [ NUM | STRING ]  Default:

#

port = ssh

# Option:  protocol

# Notes.:  internally used by config reader for interpolations.

# Values:  [ tcp | udp ] Default: tcp

#

protocol = tcp

# Option:  blocktype

# Note:    This is what the action does with rules. This can be any jump target

#          as per the nftables man page (section 8). Common values are drop

#          reject, reject with icmp type host-unreachable

# Values:  STRING

blocktype = reject

# Option:  nftables

# Notes.:  Actual command to be executed, including common to all calls options

# Values:  STRING

nftables = nft