tail head cat sleep
QR code linking to this page



blacklistd.conf – configuration file format for blacklistd



The blacklistd.conf files contains configuration lines for blacklistd(8). It contains one entry per line, and is similar to inetd.conf(5). There must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space. Comments are denoted by a "#" at the beginning of a line.

There are two kinds of configuration lines, local and remote. By default, configuration lines are local, i.e. the address specified refers to the addresses on the local machine. To switch to between local and remote configuration lines you can specify the stanzas: "[local]" and "[remote]".

On local and remote lines "*" means use the default, or wildcard match. In addition, for remote lines "=" means use the values from the matched local configuration line.

The first four fields, location, type, proto, and owner are used to match the local or remote addresses, whereas the last 3 fields name, nfail, and disable are used to modify the filtering action.

The first field denotes the location as an address, mask, and port. The syntax for the location is:


The address can be an IPv4 address in numeric format, an IPv6 address in numeric format and enclosed by square brackets, or an interface name. Mask modifiers are not allowed on interfaces because interfaces have multiple address in different protocols where the mask has a different size.

The mask is always numeric, but the port can be either numeric or symbolic.

The second field is the socket type: stream, dgram, or numeric. The third field is the prococol: tcp, udp, tcp6, udp6, or numeric. The fourth file is the effective user ( owner) of the daemon process reporting the event, either as a username or a userid.

The rest of the fields are controlling the behavior of the filter.

The name field, is the name of the packet filter rule to be used. If the name starts with a "-", then the default rulename is prepended to the given name. If the name contains a "/", the remaining portion of the name is interpreted as the mask to be applied to the address specified in the rule, so one can block whole subnets for a single rule violation.

The nfail field contains the number of failed attempts before access is blocked, defaulting to "*" meaning never, and the last field disable specifies the amount of time since the last access that the blocking rule should be active, defaulting to "*" meaning forever. The default unit for disable is seconds, but one can specify suffixes for different units, such as "m" for minutes "h" for hours and "d" for days.

Matching is done first by checking the local rules one by one, from the most specific to the least specific. If a match is found, then the remote rules are applied, and if a match is found the name, nfail, and disable fields can be altered by the remote rule that matched.

The remote rules can be used for whitelisting specific addresses, changing the mask size, or the rule that the packet filter uses, the number of failed attempts, or the blocked duration.


  Configuration file.


# Block ssh, after 3 attempts for 6 hours on the bnx0 interface
# location      type    proto   owner   name    nfail   duration
bnx0:ssh        *       *       *       *       3       6h
# Never block     *       *       *       *       *       *
# For addresses coming from block class C networks instead
# individual hosts, but keep the rest of the blocking parameters the same.  *       *       *       /24     =       =


blacklistctl(8), blacklistd(8)


blacklistd.conf first appeared in NetBSD FreeBSD support for blacklistd.conf was implemented in FreeBSD 11 .


Christos Zoulas

BLACKLISTD.CONF (5) June 7, 2016

tail head cat sleep
QR code linking to this page

Please direct any comments about this manual page service to Ben Bullock.

The wonderful thing about standards is that there are so many of them to choose from.
— Grace Murray Hopper