BLOCKLISTCTL(8) System Manager's Manual BLOCKLISTCTL(8)

blocklistctldisplay and change the state of the blocklistd database

blocklistctl dump [-abdnrw] [-D dbname]

blocklistctl is a program used to display and change the state of the blocklistd(8) database. The following sub-commands are supported:

The following options are available for the dump sub-command:

Show all database entries, by default it shows only the active ones. Inactive entries will be shown with a last-access (or, with -r, the remaining) time of ‘never’.
Show only the blocked entries.
dbname
Specify the location of the blocklistd database file to use. The default is /var/db/blocklistd.db.
Increase debugging level.
Don't display a header.
Show the remaining blocked time instead of the last activity time.
Normally the width of addresses is good for IPv4, the -w flag, makes the display wide enough for IPv6 addresses.

The output of the dump sub-command consists of a header (unless -n was given) and one line for each record in the database, where each line has the following columns:

address/ma:port
The remote address, mask, and local port number of the client connection associated with the database entry.
id
column will show the identifier for the packet filter rule associated with the database entry, though this may only be the word ‘OK’ for packet filters which do not creat a unique identifier for each rule.
nfail
The number of reported for the client on the noted port, as well as the number of failures allowed before blocking (or, with -a, an asterisk ⟨*⟩)
‘last access’ | ‘remaining time’
The last time a the client was reported as attempting access, or, with -r, the time remaining before the rule blocking the client will be removed.

blocklistd(8)

Sometimes the reported number of failed attempts can exceed the number of attempts that blocklistd(8) is configured to block. This can happen either because the rule has been removed manually, or because there were more attempts in flight while the rule block was being added. This condition is normal; in that case blocklistd(8) will first attempt to remove the existing rule, and then it will re-add it to make sure that there is only one rule active.

blocklistctl first appeared in NetBSD 7. FreeBSD support for blocklistctl was implemented in FreeBSD 11.

Christos Zoulas

January 27, 2025 NetBSD 10.99