BLACKLISTD(8) | System Manager's Manual | BLACKLISTD(8) |
blacklistd
—
blacklistd |
[-dfrv ] [-C
controlprog] [-c
configfile] [-D
dbfile] [-P
sockpathsfile] [-R
rulename] [-s
sockpath] [-t
timeout] |
blacklistd
is a daemon similar to
syslogd(8) that listens to
sockets at paths specified in the sockpathsfile for
notifications from other daemons about successful or failed connection
attempts. If no such file is specified, then it only listens to the socket
path specified by sockspath or if that is not specified
to /var/run/blacklistd.sock. Each notification
contains an (action, port, protocol, address, owner) tuple that identifies the
remote connection and the action. This tuple is consulted against entries in
configfile with syntax specified in
blacklistd.conf(5). If
an entry is matched, a state entry is created for that tuple. Each entry
contains a number of tries limit and a duration.
If the action is “add” and the number of tries limit is reached, then a control script controlprog is invoked with arguments:
control add <rulename> <proto> <address> <mask> <port>
and should invoke a packet filter command to block the connection
specified by the arguments. The rulename argument can
be set from the command line (default blacklistd
).
The script could print a numerical id to stdout as a handle for the rule
that can be used later to remove that connection, but that is not required
as all information to remove the rule is kept.
If the action is “remove” Then the same control script is invoked as:
control remove <rulename> <proto> <address> <mask> <port> <id>
where id is the number returned from the “add” action.
blacklistd
maintains a database of known
connections in dbfile. On startup it reads entries
from that file, and updates its internal state.
blacklistd
checks the list of active
entries every timeout seconds (default
15
) and removes entries and block rules using the
control program as necessary.
The following options are available:
-C
controlprogadd
,
rem
, or flush
to add,
remove or flush a firewall rule.tcp
, tcp6
,
udp
, udp6
.-c
configuration-D
dbfileblacklistd
stores its
state, usually /var/run/blacklistd.db.-d
blacklistd
disassociates itself from the
terminal unless the -d
flag is specified, in which
case it stays in the foreground.-f
control flush <rulename>
-P
sockspathsfileblacklistd
will create sockets to listen to. This
is useful for chrooted environments.-R
rulenameblacklistd
.-r
-s
sockpathblacklistd
listens to.-t
timeoutblacklistd
polls the state
file to update the rules.-v
blacklistd
to print diagnostic messages to
stdout
instead of
syslogd(8).blacklistd
first appeared in NetBSD
7. FreeBSD support for
blacklistd
was implemented in FreeBSD
11.
June 7, 2016 | NetBSD 9.4 |