I would appreciate any donations. Wishlist or send e-mail type donations to maekawa AT daemon-systems.org.
BLACKLISTD.CONF(5) File Formats Manual BLACKLISTD.CONF(5) NAME blacklistd.conf - configuration file format for blacklistd DESCRIPTION The blacklistd.conf files contains configuration entries for blacklistd(8) in a fashion similar to inetd.conf(5). Only one entry per line is permitted. Every entry must have all fields populated. Each field can be separated by a tab or a space. Comments are denoted by a "#" at the beginning of a line. There are two kinds of configuration lines, local and remote. By default, configuration lines are local, i.e. the address specified refers to the addresses on the local machine. To switch to between local and remote configuration lines you can specify the stanzas: "[local]" and "[remote]". On local and remote lines "*" means use the default, or wildcard match. In addition, for remote lines "=" means use the values from the matched local configuration line. The first four fields, location, type, proto, and owner are used to match the local or remote addresses, whereas the last 3 fields name, nfail, and disable are used to modify the filtering action. The first field denotes the location as an address, mask, and port. The syntax for the location is: [<address>|<interface>][/<mask>][:<port>] The address can be an IPv4 address in numeric format, an IPv6 address in numeric format and enclosed by square brackets, or an interface name. Mask modifiers are not allowed on interfaces because interfaces can have multiple addresses in different protocols where the mask has a different size. The mask is always numeric, but the port can be either numeric or symbolic. The second field is the socket type: stream, dgram, or numeric. The third field is the prococol: tcp, udp, tcp6, udp6, or numeric. The fourth file is the effective user (owner) of the daemon process reporting the event, either as a username or a userid. The rest of the fields are controlling the behavior of the filter. The name field, is the name of the packet filter rule to be used. If the name starts with a "-", then the default rulename is prepended to the given name. If the name contains a "/", the remaining portion of the name is interpreted as the mask to be applied to the address specified in the rule, causing a single rule violation to block the entire subnet for the configured prefix. The nfail field contains the number of failed attempts before access is blocked, defaulting to "*" meaning never, and the last field disable specifies the amount of time since the last access that the blocking rule should be active, defaulting to "*" meaning forever. The default unit for disable is seconds, but one can specify suffixes for different units, such as "m" for minutes "h" for hours and "d" for days. Matching is done first by checking the local rules individually, in the order of the most specific to the least specific. If a match is found, then the remote rules are applied. The name, nfail, and disable fields can be altered by the remote rule that matched. The remote rules can be used for whitelisting specific addresses, changing the mask size, the rule that the packet filter uses, the number of failed attempts, or the block duration. FILES /etc/blacklistd.conf Configuration file. EXAMPLES # Block ssh, after 3 attempts for 6 hours on the bnx0 interface [local] # location type proto owner name nfail duration bnx0:ssh * * * * 3 6h [remote] # Never block 18.104.22.168 22.214.171.124:ssh * * * * * * # For addresses coming from 126.96.36.199/16 block class C networks instead # individual hosts, but keep the rest of the blocking parameters the same. 188.8.131.52/16:ssh * * * /24 = = SEE ALSO blacklistctl(8), blacklistd(8) HISTORY blacklistd.conf first appeared in NetBSD 7. FreeBSD support for blacklistd.conf was implemented in FreeBSD 11. AUTHORS Christos Zoulas NetBSD 8.0 June 5, 2017 NetBSD 8.0