BLOCKLISTD.CONF(5) | File Formats Manual | BLOCKLISTD.CONF(5) |
blocklistd.conf
—
configuration file format for blocklistd
The blocklistd.conf
file contains
configuration entries for
blocklistd(8) in a fashion
similar to inetd.conf(5).
Only one entry per line is permitted. Every entry must have all fields
populated. Each field can be separated by a tab or a space. Comments are
denoted by a “#” at the beginning of a line.
There are two kinds of configuration lines, [local] and [remote]. By default, configuration lines are [local], i.e. the address specified refers to the addresses on the local machine. To switch to between [local] and [remote] configuration lines you can specify the stanzas: “[local]” and “[remote]”.
On [local] and [remote] lines “*” means use the default, or wildcard match. In addition, for [remote] lines “=” means use the values from the matched [local] configuration line.
The first four fields, location, type, proto, and owner are used to match the [local] or [remote] addresses, whereas the last 3 fields name, nfail, and disable are used to modify the filtering action.
The first field denotes the location as an address, mask, and port. The syntax for the location is:
[<address>|<interface>][/<mask>][:<port>]
The address
can be an IPv4 address in
numeric format, an IPv6 address in numeric format and enclosed by square
brackets, or an interface name. Mask modifiers are not allowed on interfaces
because interfaces can have multiple addresses in different protocols where
the mask has a different size.
The mask
is always numeric, but the
port
can be either numeric or symbolic.
The second field is the socket type:
stream
, dgram
, or numeric.
The third field is the protocol:
tcp
, udp
,
tcp6
, udp6
, or numeric. The
fourth field is the effective user (owner) of the
daemon process reporting the event, either as a username or a userid.
The rest of the fields control the behavior of the filter.
The name field, is the name of the packet
filter rule to be used. If the name starts with a
hyphen (“-”), then the default rulename is prepended to the
given name. If the name
contains a
“/”, the remaining portion of the name is interpreted as the
mask to be applied to the address specified in the rule, causing a single
rule violation to block the entire subnet for the configured prefix.
The nfail field contains the number of failed attempts before access is blocked, defaulting to “*” meaning never, and the last field duration specifies the amount of time since the last access that the blocking rule should be active, defaulting to “*” meaning forever. The default unit for duration is seconds, but one can specify suffixes for different units, such as “m” for minutes “h” for hours and “d” for days.
Matching is done first by checking the [local] rules individually, in the order of the most specific to the least specific. If a match is found, then the matching [remote] rules are applied. The name, nfail, and duration fields can be altered by the [remote] rule that matched.
The [remote] rules can be used for allowing specific addresses, changing the mask size (via name), the rule that the packet filter uses (also via name), the number of failed attempts (via nfail), or the duration to block (via duration).
# Block ssh, after 3 attempts for 6 hours on the bnx0 interface [local] # location type proto owner name nfail duration bnx0:ssh * * * * 3 6h [remote] # Never block 1.2.3.4 1.2.3.4:ssh * * * * * * # Never block the example IPv6 subnet either [2001:db8::]/32:ssh * * * * * * # For addresses coming from 8.8.0.0/16 block whole /24 networks instead # individual hosts, but keep the rest of the blocking parameters the same. 8.8.0.0/16:ssh * * * /24 = =
blocklistd.conf
first appeared in
NetBSD 7. FreeBSD support
for blocklistd.conf
was implemented in
FreeBSD 11.
Christos Zoulas
February 5, 2025 | NetBSD 10.99 |