fix/skills-pf-validate-cleanup #250

Merged

clawdie merged 2 commits from fix/skills-pf-validate-cleanup into main

2026-06-28 00:23:58 +02:00

clawdie commented

2026-06-28 00:23:23 +02:00

Owner

No description provided.

clawdie added 2 commits 2026-06-28 00:23:29 +02:00

feat(skills): fail2ban-tailscale + freebsd-admin PF rate limiting 43c43a4848

fail2ban-tailscale (new skill):
  Root cause: key negotiation triggers password-fallback, fail2ban bans IP
  Path A: PasswordAuthentication no — one line, zero maintenance
  Path B: Specific fleet IP whitelist — if passwords must stay on
  Path C: Both — production hardening
  Security: do NOT whitelist 100.64.0.0/10 (trusts every tailnet)
  FreeBSD PF equivalent: max-src-conn-rate + overload table
  Platform table: Linux fail2ban / FreeBSD PF / Mother PF

freebsd-admin (PF SSH rate limiting):
  max-src-conn-rate 5/60 + overload <ssh_brutes> table
  Manual operations: show, delete specific IP, flush
  Cross-reference to fail2ban-tailscale skill
  Rule placement guidance (block drop all last, pass out first)

Wiki-lint: 187 refs, 0 failures. Prettier 3.8.4: clean.

fix(skills): remove duplicate PF validate line in freebsd-admin SKILL

CI / rust (pull_request) Waiting to run

Details

CI / markdown (pull_request) Waiting to run

Details

CI / port (pull_request) Waiting to run

Details

CI / agent-jail-pkgs (pull_request) Waiting to run

Details

40f091135d

The PR added a 'validate PF before reload' bullet in the Controlplane
service ports subsection, but the original file already had one at the
end using the FreeBSD-native 'service pf reload'. Keep only the one
at the bottom — avoids confusing operators with two different reload
commands.

Sam & Claude