[Bug 267658] security/py-fail2ban: Fix PF failing to be able to ban stuff using for example UDP

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 09 Nov 2022 04:52:18 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267658

            Bug ID: 267658
           Summary: security/py-fail2ban: Fix PF failing to be able to ban
                    stuff using for example UDP
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: cy@FreeBSD.org
          Reporter: vvelox@vvelox.net
          Assignee: cy@FreeBSD.org
             Flags: maintainer-feedback?(cy@FreeBSD.org)

Created attachment 237962
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237962&action=edit
git diff for adding the new patch file

pfctl -k <ip> never gets called, meaning the abusing IP can keep it up fast as
long as the state is active. UDP, this is basically indefinitely as long as the
keep the active. For TCP protocols such as HTTPS2  this means as long as the
connection is up, they can continue launching attacks against the server as it
is a multiplexed connection, meaning more than a single request can be made for
a single TCP session.

As it currently stands the current implementation relies on luck or the
assumption that most people are not using it for UDP and for when it comes to
TCP it is largely not being used for services with multiplexed connections.

The patch allows the old insecure behaviour to be kept, but makes it secure by
default. Old behavior can be kept via adding no_kick=true. This is documented
in the config as well as explanation of what the choice means for either.


Also while there, document how to set multiple protocols for the protocol
setting.

-- 
You are receiving this mail because:
You are the assignee for the bug.