fix/skills-pf-validate-cleanup #250

Merged

clawdie merged 2 commits from fix/skills-pf-validate-cleanup into main

2026-06-28 00:23:58 +02:00

Author	SHA1	Message	Date
Sam & Claude	40f091135d	fix(skills): remove duplicate PF validate line in freebsd-admin SKILL Some checks are pending CI / rust (pull_request) Waiting to run Details CI / markdown (pull_request) Waiting to run Details CI / port (pull_request) Waiting to run Details CI / agent-jail-pkgs (pull_request) Waiting to run Details The PR added a 'validate PF before reload' bullet in the Controlplane service ports subsection, but the original file already had one at the end using the FreeBSD-native 'service pf reload'. Keep only the one at the bottom — avoids confusing operators with two different reload commands. Sam & Claude	2026-06-28 00:20:33 +02:00
Sam & Claude	43c43a4848	feat(skills): fail2ban-tailscale + freebsd-admin PF rate limiting fail2ban-tailscale (new skill): Root cause: key negotiation triggers password-fallback, fail2ban bans IP Path A: PasswordAuthentication no — one line, zero maintenance Path B: Specific fleet IP whitelist — if passwords must stay on Path C: Both — production hardening Security: do NOT whitelist 100.64.0.0/10 (trusts every tailnet) FreeBSD PF equivalent: max-src-conn-rate + overload table Platform table: Linux fail2ban / FreeBSD PF / Mother PF freebsd-admin (PF SSH rate limiting): max-src-conn-rate 5/60 + overload <ssh_brutes> table Manual operations: show, delete specific IP, flush Cross-reference to fail2ban-tailscale skill Rule placement guidance (block drop all last, pass out first) Wiki-lint: 187 refs, 0 failures. Prettier 3.8.4: clean.	2026-06-28 00:15:44 +02:00

Author

SHA1

Message

Date

Sam & Claude

40f091135d

fix(skills): remove duplicate PF validate line in freebsd-admin SKILL

CI / rust (pull_request) Waiting to run

Details

CI / markdown (pull_request) Waiting to run

Details

CI / port (pull_request) Waiting to run

Details

CI / agent-jail-pkgs (pull_request) Waiting to run

Details

The PR added a 'validate PF before reload' bullet in the Controlplane
service ports subsection, but the original file already had one at the
end using the FreeBSD-native 'service pf reload'. Keep only the one
at the bottom — avoids confusing operators with two different reload
commands.

Sam & Claude

2026-06-28 00:20:33 +02:00

Sam & Claude

43c43a4848

feat(skills): fail2ban-tailscale + freebsd-admin PF rate limiting

fail2ban-tailscale (new skill):
  Root cause: key negotiation triggers password-fallback, fail2ban bans IP
  Path A: PasswordAuthentication no — one line, zero maintenance
  Path B: Specific fleet IP whitelist — if passwords must stay on
  Path C: Both — production hardening
  Security: do NOT whitelist 100.64.0.0/10 (trusts every tailnet)
  FreeBSD PF equivalent: max-src-conn-rate + overload table
  Platform table: Linux fail2ban / FreeBSD PF / Mother PF

freebsd-admin (PF SSH rate limiting):
  max-src-conn-rate 5/60 + overload <ssh_brutes> table
  Manual operations: show, delete specific IP, flush
  Cross-reference to fail2ban-tailscale skill
  Rule placement guidance (block drop all last, pass out first)

Wiki-lint: 187 refs, 0 failures. Prettier 3.8.4: clean.

2026-06-28 00:15:44 +02:00