blacklistd
is a daemon similar to
syslogd(8)
that listens to sockets at paths specified in the
sockpathsfile
for notifications from other daemons about successful or failed connection
attempts.
If no such file is specified, then it only listens to the socket path
specified by
sockspath
or if that is not specified to
/var/run/blacklistd.sock.
Each notification contains an (action, port, protocol, address, owner) tuple
that identifies the remote connection and the action.
This tuple is consulted against entries in
configfile
with syntax specified in
blacklistd.conf(5).
If an entry is matched, a state entry is created for that tuple.
Each entry contains a number of tries limit and a duration.
If the action is
"add"
and the number of tries limit is reached, then a
control script
controlprog
is invoked with arguments:
control add <rulename> <proto> <address> <mask> <port>
and should invoke a packet filter command to block the connection
specified by the arguments.
The
rulename
argument can be set from the command line (default
blacklistd).
The script could print a numerical id to stdout as a handle for
the rule that can be used later to remove that connection, but
that is not required as all information to remove the rule is
kept.
If the action is
"remove"
Then the same control script is invoked as:
control remove <rulename> <proto> <address> <mask> <port> <id>
where
id
is the number returned from the
"add"
action.
blacklistd
maintains a database of known connections in
dbfile.
On startup it reads entries from that file, and updates its internal state.
blacklistd
checks the list of active entries every
timeout
seconds (default
15)
and removes entries and block rules using the control program as necessary.
The following options are available:
|
| -C controlprog
|
| |
Use
controlprog
to communicate with the packet filter, usually
/usr/libexec/blacklistd-helper.
The following arguments are passed to the control program:
|
|
| action
|
The action to perform:
add,
rem,
or
flush
to add, remove or flush a firewall rule.
|
| name
|
The rule name.
|
| protocol
|
| |
The optional protocol name (can be empty):
tcp,
tcp6,
udp,
udp6.
|
| address
|
The IPv4 or IPv6 numeric address to be blocked or released.
|
| mask
|
The numeric mask to be applied to the blocked or released address
|
| port
|
The optional numeric port to be blocked (can be empty).
|
| id
|
For packet filters that support removal of rules by rule identifier, the
identifier of the rule to be removed.
The add command is expected to return the rule identifier string to stdout.
|
|
| -c configuration
|
| |
The name of the configuration file to read, usually
/etc/blacklistd.conf.
|
| -D dbfile
|
| |
The Berkeley DB file where
blacklistd
stores its state, usually
/var/db/blacklistd.db.
|
| -d
|
| |
Normally,
blacklistd
disassociates itself from the terminal unless the
-d
flag is specified, in which case it stays in the foreground.
|
| -f
|
| |
Truncate the state database and flush all the rules named
rulename
are deleted by invoking the control script as:
control flush <rulename>
|
| -P sockspathsfile
|
| |
A file containing a list of pathnames, one per line that
blacklistd
will create sockets to listen to.
This is useful for chrooted environments.
|
| -R rulename
|
| |
Specify the default rule name for the packet filter rules, usually
blacklistd.
|
| -r
|
| |
Re-read the firewall rules from the internal database, then
remove and re-add them.
This helps for packet filters that do not retain state across reboots.
|
| -s sockpath
|
| |
Add
sockpath
to the list of Unix sockets
blacklistd
listens to.
|
| -t timeout
|
| |
The interval in seconds
blacklistd
polls the state file to update the rules.
|
| -v
|
| |
Cause
blacklistd
to print
diagnostic messages to
stdout
instead of
syslogd(8).
|
|
