|Main index||Section 8||Options|
If the action is "add" and the number of tries limit is reached, then a control script controlprog is invoked with arguments:
control add <rulename> <proto> <address> <mask> <port>
and should invoke a packet filter command to block the connection specified by the arguments. The rulename argument can be set from the command line (default blacklistd). The script could print a numerical id to stdout as a handle for the rule that can be used later to remove that connection, but that is not required as all information to remove the rule is kept.
If the action is "remove" Then the same control script is invoked as:
control remove <rulename> <proto> <address> <mask> <port> <id>
where id is the number returned from the "add" action.
blacklistd maintains a database of known connections in dbfile. On startup it reads entries from that file, and updates its internal state.
blacklistd checks the list of active entries every timeout seconds (default 15) and removes entries and block rules using the control program as necessary.
The following options are available:
|Use controlprog to communicate with the packet filter, usually /usr/libexec/blacklistd-helper. The following arguments are passed to the control program:|
|action||The action to perform: add, rem, or flush to add, remove or flush a firewall rule.|
|name||The rule name.|
|The optional protocol name (can be empty): tcp, tcp6, udp, udp6.|
|address||The IPv4 or IPv6 numeric address to be blocked or released.|
|mask||The numeric mask to be applied to the blocked or released address|
|port||The optional numeric port to be blocked (can be empty).|
|id||For packet filters that support removal of rules by rule identifier, the identifier of the rule to be removed. The add command is expected to return the rule identifier string to stdout.|
|The name of the configuration file to read, usually /etc/blacklistd.conf.|
|The Berkeley DB file where blacklistd stores its state, usually /var/run/blacklistd.db.|
disassociates itself from the terminal unless the
Truncate the state database and flush all the rules named
are deleted by invoking the control script as:
control flush <rulename>
|A file containing a list of pathnames, one per line that blacklistd will create sockets to listen to. This is useful for chrooted environments.|
|Specify the default rule name for the packet filter rules, usually blacklistd.|
|Re-read the firewall rules from the internal database, then remove and re-add them. This helps for packet filters that don't retain state across reboots.|
|Add sockpath to the list of Unix sockets blacklistd listens to.|
|The interval in seconds blacklistd polls the state file to update the rules.|
|Cause blacklistd to print diagnostic messages to stdout instead of syslogd(8).|
|Shell script invoked to interface with the packet filter.|
|/var/db/blacklistd.db||Database of current connection entries.|
|/var/run/blacklistd.sock||Socket to receive connection notifications.|
|BLACKLISTD (8)||June 7, 2016|
|Main index||Section 8||Options|
Please direct any comments about this manual page service to Ben Bullock.
|“||Ken Thompson was once asked by a reporter what he would have changed about Unix if he had it all to do over again. His answer: “I would spell creat with an ‘e.'”||”|