Index: etc/Makefile =================================================================== --- etc/Makefile +++ etc/Makefile @@ -86,6 +86,10 @@ BIN1+= auto_master .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +BIN1+= blacklistd.conf +.endif + .if ${MK_FREEBSD_UPDATE} != "no" BIN1+= freebsd-update.conf .endif Index: etc/blacklistd.conf =================================================================== --- /dev/null +++ etc/blacklistd.conf @@ -0,0 +1,15 @@ +# Blacklist rule +# adr/mask:port type proto owner name nfail disable +[local] +ssh stream * * * 3 24h +ftp stream * * * 3 24h +smtp stream * * * 3 24h +submission stream * * * 3 24h +#6161 stream tcp6 christos * 2 10m +* * * * * 3 60 + +# adr/mask:port type proto owner name nfail disable +[remote] +#129.168.0.0/16 * * * = * * +#6161 = = = =/24 = = +#* stream tcp * = = = Index: etc/defaults/rc.conf =================================================================== --- etc/defaults/rc.conf +++ etc/defaults/rc.conf @@ -266,6 +266,8 @@ hastd_flags="" # Optional flags to hastd. ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. local_unbound_enable="NO" # local caching resolver +blacklistd_enable="YES" # Run blacklistd daemon (YES/NO). +blacklistd_flags="" # Optional flags for blacklistd(8). # # kerberos. Do not run the admin daemons on slave servers Index: etc/periodic/security/520.pfdenied =================================================================== --- etc/periodic/security/520.pfdenied +++ etc/periodic/security/520.pfdenied @@ -44,8 +44,14 @@ if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then - check_diff new_only pf ${TMP} "${host} pf denied packets:" + touch ${TMP} + for _a in "" "blacklistd" + do + pfctl -a ${_a} -sr -v -z 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} + done + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? rm -f ${TMP} Index: etc/rc.d/Makefile =================================================================== --- etc/rc.d/Makefile +++ etc/rc.d/Makefile @@ -17,6 +17,7 @@ auditd \ auditdistd \ bgfsck \ + ${_blacklistd} \ ${_bluetooth} \ bridge \ ${_bthidd} \ @@ -168,6 +169,10 @@ FILES+= autounmountd .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_blacklistd+= blacklistd +.endif + .if ${MK_BLUETOOTH} != "no" _bluetooth= bluetooth _bthidd= bthidd Index: etc/rc.d/blacklistd =================================================================== --- /dev/null +++ etc/rc.d/blacklistd @@ -0,0 +1,45 @@ +#!/bin/sh +# +# Copyright (c) 2016 The FreeBSD Foundation +# All rights reserved. +# +# This software was developed by Kurt Lidl under sponsorship from the +# FreeBSD Foundation. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: blacklistd +# REQUIRE: netif pf + +. /etc/rc.subr + +name="blacklistd" +desc="System blacklist daemon" +rcvar="blacklistd_enable" +command="/usr/sbin/${name}" +required_files="/etc/blacklistd.conf" + +load_rc_config $name +run_rc_command "$1" Index: lib/Makefile =================================================================== --- lib/Makefile +++ lib/Makefile @@ -28,6 +28,7 @@ ${_libatm} \ libauditd \ libbegemot \ + ${_libblacklist} \ libblocksruntime \ ${_libbluetooth} \ ${_libbsnmp} \ @@ -160,6 +161,10 @@ _libngatm= libngatm .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_libblacklist= libblacklist +.endif + .if ${MK_BLUETOOTH} != "no" _libbluetooth= libbluetooth _libsdp= libsdp Index: lib/libblacklist/Makefile =================================================================== --- /dev/null +++ lib/libblacklist/Makefile @@ -0,0 +1,30 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist + +.PATH: ${BLACKLIST_DIR}/lib ${BLACKLIST_DIR}/include + +LIB= blacklist +SHLIB_MAJOR= 0 + +LIBADD+= pthread + +CFLAGS.clang+=-Wno-thread-safety-analysis + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_REENTRANT -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_GETPROGNAME \ + -DHAVE_STRLCAT -DHAVE_STRLCPY -DHAVE_STRUCT_SOCKADDR_SA_LEN + +SRCS= bl.c blacklist.c +INCS= blacklist.h +MAN= libblacklist.3 + +MLINKS= libblacklist.3 blacklist_open.3 \ + libblacklist.3 blacklist_close.3 \ + libblacklist.3 blacklist.3 \ + libblacklist.3 blacklist_r.3 \ + libblacklist.3 blacklist_sa.3 \ + libblacklist.3 blacklist_sa_r.3 + +.include Index: libexec/Makefile =================================================================== --- libexec/Makefile +++ libexec/Makefile @@ -5,6 +5,7 @@ SUBDIR= ${_atf} \ ${_atrun} \ + ${_blacklistd-helper} \ ${_comsat} \ ${_dma} \ getty \ @@ -33,6 +34,10 @@ _atrun= atrun .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_blacklistd-helper+= blacklistd-helper +.endif + .if ${MK_BOOTPD} != "no" SUBDIR+= bootpd .endif Index: libexec/blacklistd-helper/Makefile =================================================================== --- /dev/null +++ libexec/blacklistd-helper/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist + +SCRIPTS= ${BLACKLIST_DIR}/libexec/blacklistd-helper + +.include Index: share/mk/bsd.libnames.mk =================================================================== --- share/mk/bsd.libnames.mk +++ share/mk/bsd.libnames.mk @@ -22,6 +22,7 @@ LIBAUDITD?= ${DESTDIR}${LIBDIR}/libauditd.a LIBAVL?= ${DESTDIR}${LIBDIR}/libavl.a LIBBEGEMOT?= ${DESTDIR}${LIBDIR}/libbegemot.a +LIBBLACKLIST?= ${DESTDIR}${LIBDIR}/libblacklist.a LIBBLUETOOTH?= ${DESTDIR}${LIBDIR}/libbluetooth.a LIBBSDXML?= ${DESTDIR}${LIBDIR}/libbsdxml.a LIBBSM?= ${DESTDIR}${LIBDIR}/libbsm.a Index: share/mk/src.libnames.mk =================================================================== --- share/mk/src.libnames.mk +++ share/mk/src.libnames.mk @@ -176,6 +176,12 @@ zfs \ zpool \ +.if ${MK_BLACKLIST} != "no" +_LIBRARIES+= \ + blacklist \ + +.endif + .if ${MK_OFED} != "no" _LIBRARIES+= \ cxgb4 \ @@ -198,6 +204,9 @@ # 2nd+ order consumers. Auto-generating this would be better. _DP_80211= sbuf bsdxml _DP_archive= z bz2 lzma bsdxml +.if ${MK_BLACKLIST} != "no" +_DP_blacklist+= pthread +.endif .if ${MK_OPENSSL} != "no" _DP_archive+= crypto .else @@ -500,6 +509,7 @@ LIBATF_CDIR= ${OBJTOP}/lib/atf/libatf-c LIBATF_CXXDIR= ${OBJTOP}/lib/atf/libatf-c++ LIBALIASDIR= ${OBJTOP}/lib/libalias/libalias +LIBBLACKLISTDIR= ${OBJTOP}/lib/libblacklist LIBBLOCKSRUNTIMEDIR= ${OBJTOP}/lib/libblocksruntime LIBBSNMPDIR= ${OBJTOP}/lib/libbsnmp/libbsnmp LIBCAP_CASPERDIR= ${OBJTOP}/lib/libcasper/libcasper Index: share/mk/src.opts.mk =================================================================== --- share/mk/src.opts.mk +++ share/mk/src.opts.mk @@ -56,6 +56,7 @@ BHYVE \ BINUTILS \ BINUTILS_BOOTSTRAP \ + BLACKLIST \ BLUETOOTH \ BOOT \ BOOTPARAMD \ @@ -374,6 +375,7 @@ # MK_* variable is set to "no". # .for var in \ + BLACKLIST \ BZIP2 \ GNU \ INET \ Index: tools/build/mk/OptionalObsoleteFiles.inc =================================================================== --- tools/build/mk/OptionalObsoleteFiles.inc +++ tools/build/mk/OptionalObsoleteFiles.inc @@ -404,6 +404,26 @@ OLD_FILES+=usr/share/man/man7/binutils.7.gz .endif +.if ${MK_BLACKLIST_SUPPORT} == no +OLD_FILES+=etc/rc.d/blacklistd +OLD_FILES+=usr/include/blacklist.h +OLD_FILES+=usr/lib/libblacklist.a +OLD_FILES+=usr/lib/libblacklist_p.a +OLD_FILES+=usr/lib/libblacklist.so +OLD_LIBS+=usr/lib/libblacklist.so.0 +OLD_FILES+=usr/libexec/blacklistd-helper +OLD_FILES+=usr/sbin/blacklistctl +OLD_FILES+=usr/sbin/blacklistd +OLD_FILES+=usr/share/man/man3/blacklist.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_close.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_open.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_r.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_sa.3.gz +OLD_FILES+=usr/share/man/man3/blacklist_sa_r.3.gz +OLD_FILES+=usr/share/man/man8/blacklistctl.8.gz +OLD_FILES+=usr/share/man/man8/blacklistd.8.gz +.endif + .if ${MK_BLUETOOTH} == no OLD_FILES+=etc/bluetooth/hcsecd.conf OLD_FILES+=etc/bluetooth/hosts Index: usr.sbin/Makefile =================================================================== --- usr.sbin/Makefile +++ usr.sbin/Makefile @@ -113,6 +113,10 @@ SUBDIR.${MK_AUDIT}+= praudit SUBDIR.${MK_AUTHPF}+= authpf SUBDIR.${MK_AUTOFS}+= autofs +.if ${MK_BLACKLIST_SUPPORT} != "no" +SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistctl +SUBDIR.${MK_BLACKLIST_SUPPORT}+= blacklistd +.endif SUBDIR.${MK_BLUETOOTH}+= bluetooth SUBDIR.${MK_BOOTPARAMD}+= bootparamd SUBDIR.${MK_BSDINSTALL}+= bsdinstall Index: usr.sbin/blacklistctl/Makefile =================================================================== --- /dev/null +++ usr.sbin/blacklistctl/Makefile @@ -0,0 +1,22 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist +.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port + +PROG= blacklistctl +SRCS= blacklistctl.c conf.c state.c support.c internal.c \ + sockaddr_snprintf.c pidfile.c strtoi.c popenve.c +MAN= blacklistctl.8 + +LDFLAGS+=-L${LIBBLACKLISTDIR} +LIBADD+= blacklist util + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \ + -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \ + -DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \ + -DHAVE_STRUCT_SOCKADDR_SA_LEN +# CFLAGS+= -D_REENTRANT + +.include Index: usr.sbin/blacklistd/Makefile =================================================================== --- /dev/null +++ usr.sbin/blacklistd/Makefile @@ -0,0 +1,22 @@ +# $FreeBSD$ + +BLACKLIST_DIR=${SRCTOP}/contrib/blacklist +.PATH: ${BLACKLIST_DIR}/bin ${BLACKLIST_DIR}/port + +PROG= blacklistd +SRCS= blacklistd.c conf.c run.c state.c support.c internal.c \ + sockaddr_snprintf.c pidfile.c strtoi.c popenve.c +MAN= blacklistd.8 + +LDFLAGS+=-L${LIBBLACKLISTDIR} +LIBADD+= blacklist util + +CFLAGS+=-I${BLACKLIST_DIR}/include -I${BLACKLIST_DIR}/port \ + -D_PATH_BLCONTROL=\"/usr/libexec/blacklistd-helper\" \ + -DHAVE_CONFIG_H -DHAVE_DB_H -DHAVE_LIBUTIL_H \ + -DHAVE_CLOCK_GETTIME -DHAVE_FGETLN -DHAVE_FPARSELN \ + -DHAVE_GETPROGNAME -DHAVE_STRLCAT -DHAVE_STRLCPY \ + -DHAVE_STRUCT_SOCKADDR_SA_LEN +# CFLAGS+= -D_REENTRANT + +.include