Index: GIDs
===================================================================
--- GIDs
+++ GIDs
@@ -194,7 +194,7 @@
 # free: 251
 # free: 252
 _adsuck:*:253:
-# free: 254
+imds:*:254:
 _i2pd:*:255:
 _tor:*:256:
 _smtpd:*:257:
Index: UIDs
===================================================================
--- UIDs
+++ UIDs
@@ -199,7 +199,7 @@
 # free: 251
 # free: 252
 _adsuck:*:253:253::0:0:Adsuck ad blocking user:/nonexistent:/usr/sbin/nologin
-# free: 254
+imds:*:254:254::0:0:Instance Metadata Service filter:/nonexistent:/usr/sbin/nologin
 _i2pd:*:255:255::0:0:I2P daemon:/var/db/i2pd:/usr/sbin/nologin
 _tor:*:256:256::0:0:Tor anonymizing router:/var/db/tor:/usr/sbin/nologin
 _smtpd:*:257:257::0:0:OpenSMTPD:/var/empty:/usr/sbin/nologin
Index: security/Makefile
===================================================================
--- security/Makefile
+++ security/Makefile
@@ -226,6 +226,7 @@
     SUBDIR += idea
     SUBDIR += identify
     SUBDIR += ike
+    SUBDIR += imds-filter
     SUBDIR += integrit
     SUBDIR += ipfcount
     SUBDIR += ipfilter2dshield
Index: security/imds-filterd/Makefile
===================================================================
--- security/imds-filterd/Makefile
+++ security/imds-filterd/Makefile
@@ -0,0 +1,44 @@
+# $FreeBSD$
+
+PORTNAME=	imds-filterd
+DISTVERSION=	0.1
+CATEGORIES=	security
+
+MAINTAINER=	cperciva@FreeBSD.org
+COMMENT=	Provides per user/group access controls to the EC2 IMDS
+
+LICENSE=	BSD2CLAUSE
+LICENSE_FILE=	${WRKSRC}/COPYRIGHT
+
+USE_GITHUB=	YES
+GH_ACCOUNT=	cperciva
+
+# Install binaries into ${STAGEDIR}${PREFIX}/sbin
+MAKE_ARGS+=	BINDIR=${STAGEDIR}${PREFIX}/sbin
+
+PORTDOCS=	CHANGELOG COPYRIGHT README.md USAGE
+PLIST_FILES=	sbin/imds-filterd		\
+		sbin/imds-proxy			\
+		etc/rc.d/imds-filterd		\
+		etc/rc.d/imds-proxy		\
+		etc/syslog.d/imds.conf		\
+		etc/newsyslog.conf.d/imds.conf	\
+		"@sample etc/imds.conf.sample"
+
+OPTIONS_DEFINE=	DOCS
+
+USERS=		imds
+GROUPS=		imds
+
+post-install:
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR}
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/syslog.d
+	${INSTALL_DATA} ${WRKSRC}/freebsd-conf/syslog-imds.conf ${STAGEDIR}${PREFIX}/etc/syslog.d/imds.conf
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d
+	${INSTALL_DATA} ${WRKSRC}/freebsd-conf/newsyslog-imds.conf ${STAGEDIR}${PREFIX}/etc/newsyslog.conf.d/imds.conf
+	${INSTALL_DATA} ${WRKSRC}/imds.conf ${STAGEDIR}${PREFIX}/etc/imds.conf.sample
+	${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-filterd ${STAGEDIR}${PREFIX}/etc/rc.d/imds-filterd
+	${INSTALL_SCRIPT} ${WRKSRC}/freebsd-conf/rc.d-imds-proxy ${STAGEDIR}${PREFIX}/etc/rc.d/imds-proxy
+
+.include <bsd.port.mk>
Index: security/imds-filterd/distinfo
===================================================================
--- security/imds-filterd/distinfo
+++ security/imds-filterd/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1580074291
+SHA256 (cperciva-imds-filterd-0.1_GH0.tar.gz) = e0e8b28046b2a917e110d1313242947aa6901635e81552107ab2f6a2fba83441
+SIZE (cperciva-imds-filterd-0.1_GH0.tar.gz) = 64011
Index: security/imds-filterd/pkg-descr
===================================================================
--- security/imds-filterd/pkg-descr
+++ security/imds-filterd/pkg-descr
@@ -0,0 +1,12 @@
+imds-filterd (pronounced "I M D S Filter D") is a pair of utilities which
+work together to intercept and filter requests to the EC2 Instance Metadata
+Service -- or theoretically any other service at 169.254.169.254:80.
+
+It validates requests against a configured ruleset which specifies whether
+given users and groups should be allowed or denied access to certain prefixes
+in the Instance Metadata Service.  For example, "root" could be granted
+access to everything; most unprivileged users granted access to everything
+except IAM role credentials; but the www user denied access to the entire
+Instance Metadata Service in order to guard against SSRF and similar attacks.
+
+WWW: http://github.com/cperciva/imds-filterd