NAME
blacklistd.conf —
configuration file
format for blacklistd
DESCRIPTION
The
blacklistd.conf files contains configuration entries for
blacklistd(8) in a fashion
similar to
inetd.conf(5).
Only one entry per line is permitted. Every entry must have all fields
populated. Each field can be separated by a tab or a space. Comments are
denoted by a “#” at the beginning of a line.
There are two kinds of configuration lines,
local and
remote. By default, configuration lines are
local, i.e. the address specified refers to the
addresses on the local machine. To switch to between
local and
remote configuration
lines you can specify the stanzas: “[local]” and
“[remote]”.
On
local and
remote lines
“*” means use the default, or wildcard match. In addition, for
remote lines “=” means use the values from
the matched
local configuration line.
The first four fields,
location,
type,
proto, and
owner are used to match the
local
or
remote addresses, whereas the last 3 fields
name,
nfail, and
disable are used to modify the filtering action.
The first field denotes the
location as an address, mask,
and port. The syntax for the
location is:
[<address>|<interface>][/<mask>][:<port>]
The
address
can be an IPv4 address in numeric format, an
IPv6 address in numeric format and enclosed by square brackets, or an
interface name. Mask modifiers are not allowed on interfaces because
interfaces can have multiple addresses in different protocols where the mask
has a different size.
The
mask
is always numeric, but the
port
can be either numeric or symbolic.
The second field is the socket
type:
stream
,
dgram
, or numeric. The
third field is the
prococol:
tcp
,
udp
,
tcp6
,
udp6
, or numeric. The
fourth file is the effective user (
owner) of the daemon
process reporting the event, either as a username or a userid.
The rest of the fields are controlling the behavior of the filter.
The
name field, is the name of the packet filter rule to
be used. If the
name starts with a “-”, then
the default rulename is prepended to the given name. If the
name
contains a “/”, the remaining portion
of the name is interpreted as the mask to be applied to the address specified
in the rule, causing a single rule violation to block the entire subnet for
the configured prefix.
The
nfail field contains the number of failed attempts
before access is blocked, defaulting to “*” meaning never, and the
last field
disable specifies the amount of time since
the last access that the blocking rule should be active, defaulting to
“*” meaning forever. The default unit for
disable is seconds, but one can specify suffixes for
different units, such as “m” for minutes “h” for hours
and “d” for days.
Matching is done first by checking the
local rules
individually, in the order of the most specific to the least specific. If a
match is found, then the
remote rules are applied. The
name,
nfail, and
disable fields can be altered by the
remote rule that matched.
The
remote rules can be used for whitelisting specific
addresses, changing the mask size, the rule that the packet filter uses, the
number of failed attempts, or the block duration.
FILES
- /etc/blacklistd.conf
- Configuration file.
EXAMPLES
# Block ssh, after 3 attempts for 6 hours on the bnx0 interface
[local]
# location type proto owner name nfail duration
bnx0:ssh * * * * 3 6h
[remote]
# Never block 1.2.3.4
1.2.3.4:ssh * * * * * *
# For addresses coming from 8.8.0.0/16 block class C networks instead
# individual hosts, but keep the rest of the blocking parameters the same.
8.8.0.0/16:ssh * * * /24 = =
SEE ALSO
blacklistctl(8),
blacklistd(8)
HISTORY
blacklistd.conf first appeared in
NetBSD
7.
FreeBSD support for
blacklistd.conf was implemented in
FreeBSD
11.
AUTHORS
Christos Zoulas