# Fail2Ban configuration file
#
# Author: Donald Yandt
#

[Init]

# Option:  name
# Notes    Default name of the chain
# Values:  STRING
name = default

# Option   port
# Notes    Can also use port numbers separated by a comma and in rich-rules comma and/or space.
# Value    STRING Default: 1:65535
port = 1:65535

# Option:  protocol
# Notes    [ tcp | udp | icmp | all ]
# Values:  STRING Default: tcp
protocol = tcp

# Option:  family(ipv4)
# Notes    specifies the socket address family type
# Values:  STRING  
family = ipv4

# Option:  chain
# Notes    specifies the firewalld chain to which the Fail2Ban rules should be
#          added
# Values:  STRING  Default: INPUT_direct
chain = INPUT_direct

# Option:  zone
# Notes    use command firewall-cmd --get-active-zones to see a list of all active zones. See firewalld man pages for more information on zones
# Values:  STRING  Default: public
zone = public

# Option:  service
# Notes    use command firewall-cmd --get-services to see a list of services available
#          Examples services: amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps 
#          freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos 
#          kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s 
#          postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy 
#          telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
# Values:  STRING Default: ssh 
service = ssh

# Option:  rejecttype (ipv4)
# Notes    See iptables/firewalld man pages for ipv4 reject types. 
# Values:  STRING
rejecttype = icmp-port-unreachable

# Option:  blocktype (ipv4/ipv6)
# Notes    See iptables/firewalld man pages for jump targets. Common values are REJECT, 
#          REJECT --reject-with icmp-port-unreachable, DROP
# Values:  STRING
blocktype = REJECT --reject-with <rejecttype>

# Option:  rich-blocktype (ipv4/ipv6)
# Notes    See firewalld man pages for jump targets. Common values are reject, 
#          reject type="icmp-port-unreachable", drop
# Values:  STRING
rich-blocktype = reject type='<rejecttype>'

[Init?family=inet6]

# Option:  family(ipv6)
# Notes    specifies the socket address family type
# Values:  STRING  
family = ipv6

# Option:  rejecttype (ipv6)
# Note:    See iptables/firewalld man pages for ipv6 reject types. 
# Values:  STRING
rejecttype = icmp6-port-unreachable