1 .\" $NetBSD: blacklistd.8,v 1.14 2015/06/04 16:11:48 wiz Exp $
3 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
4 .\" All rights reserved.
6 .\" This code is derived from software contributed to The NetBSD Foundation
7 .\" by Christos Zoulas.
9 .\" Redistribution and use in source and binary forms, with or without
10 .\" modification, are permitted provided that the following conditions
12 .\" 1. Redistributions of source code must retain the above copyright
13 .\" notice, this list of conditions and the following disclaimer.
14 .\" 2. Redistributions in binary form must reproduce the above copyright
15 .\" notice, this list of conditions and the following disclaimer in the
16 .\" documentation and/or other materials provided with the distribution.
18 .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
19 .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20 .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21 .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
22 .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 .\" POSSIBILITY OF SUCH DAMAGE.
35 .Nd block and release ports on demand to avoid DoS abuse
39 .Op Fl C Ar controlprog
40 .Op Fl c Ar configfile
42 .Op Fl P Ar sockpathsfile
48 is a daemon similar to
50 that listens to a sockets at paths specified in the
52 for notifications from other daemons about successful or failed connection
54 If no such file is specified, then it only listens to the socket path
57 or if that is not specified to
59 Each notification contains an (action, port, protocol, address, owner) tuple
60 that identifies the remote connection and the action.
61 This tuple is consulted against entries in
63 with syntax specified in
64 .Xr blacklistd.conf 5 .
65 If an entry is matched, a state entry is created for that tuple.
66 Each entry contains a number of tries limit and a duration.
70 and the number of tries limit is reached, then a
73 is invoked with arguments:
74 .Bd -literal -offset indent
75 control add <rulename> <proto> <address> <mask> <port>
78 and should invoke a packet filter command to block the connection
79 specified by the arguments.
82 argument can be set from the command line (default
84 The script could print a numerical id to stdout as a handle for
85 the rule that can be used later to remove that connection, but
86 that is not required as all information to remove the rule is
91 Then the same control script is invoked as:
92 .Bd -literal -offset indent
93 control remove <rulename> <proto> <address> <mask> <port> <id>
98 is the number returned from the
103 maintains a database of known connections in
105 On startup it reads entries from that file, and updates its internal state.
108 checks the list of active entries every
112 and removes entries and block rules using the control program as necessary.
114 The following options are available:
115 .Bl -tag -width indent
116 .It Fl C Ar controlprog
119 to communicate with the packet filter, usually
120 .Pa /libexec/blacklistd-helper .
121 The following arguments are passed to the control program:
122 .Bl -tag -width protocol
124 The action to perform:
129 to add, remove or flush a firewall rule.
133 The optional protocol name (can be empty):
139 The IPv4 or IPv6 numeric address to be blocked or released.
141 The numeric mask to be applied to the blocked or released address
143 The optional numeric port to be blocked (can be empty).
145 For packet filters that support removal of rules by rule identifier, the
146 identifier of the rule to be removed.
147 The add command is expected to return the rule identifier string to stdout.
149 .It Fl c Ar configuration
150 The name of the configuration file to read, usually
151 .Pa /etc/blacklistd.conf .
153 The Berkeley DB file where
155 stores its state, usually
156 .Pa /var/run/blacklistd.db .
160 disassociates itself from the terminal unless the
162 flag is specified, in which case it stays in the foreground.
164 Truncate the state database and flush all the rules named
166 are deleted by invoking the control script as:
167 .Bd -literal -offset indent
168 control flush <rulename>
170 .It Fl P Ar sockspathsfile
171 A file containing a list of pathnames, one per line that
173 will create sockets to listen to.
174 This is useful for chrooted environments.
176 Specify the default rule name for the packet filter rules, usually
179 Re-read the firewall rules from the internal database, then
180 remove and re-add them.
181 This helps for packet filters that don't retain state across reboots.
185 to the list of Unix sockets
189 The interval in seconds
191 polls the state file to update the rules.
196 diagnostic messages to
202 .Bl -tag -width /libexec/blacklistd-helper -compact
203 .It Pa /libexec/blacklistd-helper
204 Shell script invoked to interface with the packet filter.
205 .It Pa /etc/blacklistd.conf
207 .It Pa /var/db/blacklistd.db
208 Database of current connection entries.
209 .It Pa /var/run/blsock
210 Socket to receive connection notifications.
213 .Xr blacklistd.conf 5 ,