NAME
blacklistd.conf
—
configuration file format for
blacklistd
DESCRIPTION
Theblacklistd.conf
files contains configuration lines
for blacklistd(8). It contains one entry per line, and is similar
to inetd.conf(5). There must be an entry for each field of the
configuration file, with entries for each field separated by a tab or a space.
Comments are denoted by a “#” at the beginning of a line.
There are two kinds of configuration lines, local and remote. By default, configuration lines are local, i.e. the address specified refers to the addresses on the local machine. To switch to between local and remote configuration lines you can specify the stanzas: “[local]” and “[remote]”.
On local and remote lines “*” means use the default, or wildcard match. In addition, for remote lines “=” means use the values from the matched local configuration line.
The first four fields, location, type, proto, and owner are used to match the local or remote addresses, whereas the last 3 fields name, nfail, and disable are used to modify the filtering action.
The first field denotes the location as an address, mask, and port. The syntax for the location is:
[<address>|<interface>][/<mask>][:<port>]
The address
can be an IPv4 address in
numeric format, an IPv6 address in numeric format and enclosed by square
brackets, or an interface name. Mask modifiers are not allowed on interfaces
because interfaces have multiple address in different protocols where the
mask has a different size.
The mask
is always numeric, but the
port
can be either numeric or symbolic.
The second field is the socket type:
stream
, dgram
, or numeric.
The third field is the prococol:
tcp
, udp
,
tcp6
, udp6
, or numeric. The
fourth file is the effective user (owner) of the
daemon process reporting the event, either as a username or a userid.
The rest of the fields are controlling the behavior of the filter.
The name field, is the name of the packet
filter rule to be used. If the name starts with a
“-”, then the default rulename is prepended to the given name.
If the name
contains a “/”, the
remaining portion of the name is interpreted as the mask to be applied to
the address specified in the rule, so one can block whole subnets for a
single rule violation.
The nfail field contains the number of failed attempts before access is blocked, defaulting to “*” meaning never, and the last field disable specifies the amount of time since the last access that the blocking rule should be active, defaulting to “*” meaning forever. The default unit for disable is seconds, but one can specify suffixes for different units, such as “m” for minutes “h” for hours and “d” for days.
Matching is done first by checking the local rules one by one, from the most specific to the least specific. If a match is found, then the remote rules are applied, and if a match is found the name, nfail, and disable fields can be altered by the remote rule that matched.
The remote rules can be used for whitelisting specific addresses, changing the mask size, or the rule that the packet filter uses, the number of failed attempts, or the blocked duration.
FILES
- /etc/blacklistd.conf
- Configuration file.
EXAMPLES
# Block ssh, after 3 attempts for 6 hours on the bnx0 interface [local] # location type proto owner name nfail duration bnx0:ssh * * * * 3 6h [remote] # Never block 1.2.3.4 1.2.3.4:ssh * * * * * * # For addresses coming from 8.8.0.0/16 block class C networks instead # individual hosts, but keep the rest of the blocking parameters the same. 8.8.0.0/16:ssh * * * /24 = =
SEE ALSO
HISTORY
blacklistd.conf
first appeared in
NetBSD 7. FreeBSD support
for blacklistd.conf
was implemented in
FreeBSD 11.
AUTHORS
Christos Zoulas