Changeset View
Changeset View
Standalone View
Standalone View
head/contrib/blacklist/bin/blacklistd.conf.5
.\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $ | .\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $ | ||||
.\" | .\" | ||||
.\" Copyright (c) 2015 The NetBSD Foundation, Inc. | .\" Copyright (c) 2015 The NetBSD Foundation, Inc. | ||||
.\" All rights reserved. | .\" All rights reserved. | ||||
.\" | .\" | ||||
.\" This code is derived from software contributed to The NetBSD Foundation | .\" This code is derived from software contributed to The NetBSD Foundation | ||||
.\" by Christos Zoulas. | .\" by Christos Zoulas. | ||||
.\" | .\" | ||||
.\" Redistribution and use in source and binary forms, with or without | .\" Redistribution and use in source and binary forms, with or without | ||||
Show All 12 Lines | |||||
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | ||||
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||||
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||||
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||||
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||||
.\" POSSIBILITY OF SUCH DAMAGE. | .\" POSSIBILITY OF SUCH DAMAGE. | ||||
.\" | .\" | ||||
.Dd June 7, 2016 | .Dd June 5, 2017 | ||||
.Dt BLACKLISTD.CONF 5 | .Dt BLACKLISTD.CONF 5 | ||||
.Os | .Os | ||||
.Sh NAME | .Sh NAME | ||||
.Nm blacklistd.conf | .Nm blacklistd.conf | ||||
.Nd configuration file format for blacklistd | .Nd configuration file format for blacklistd | ||||
.Sh DESCRIPTION | .Sh DESCRIPTION | ||||
The | The | ||||
.Nm | .Nm | ||||
files contains configuration lines for | files contains configuration entries for | ||||
bcr: "files contains" sounds not right. I guess "contain" is better. | |||||
emasteAuthorUnsubmitted Done Inline ActionsOr even "file contains" emaste: Or even "file contains" | |||||
.Xr blacklistd 8 . | .Xr blacklistd 8 | ||||
It contains one entry per line, and is similar to | in a fashion similar to | ||||
.Xr inetd.conf 5 . | .Xr inetd.conf 5 . | ||||
There must be an entry for each field of the configuration file, with | Only one entry per line is permitted. | ||||
entries for each field separated by a tab or a space. | Every entry must have all fields populated. | ||||
Each field can be separated by a tab or a space. | |||||
Comments are denoted by a | Comments are denoted by a | ||||
.Dq # | .Dq # | ||||
at the beginning of a line. | at the beginning of a line. | ||||
.Pp | .Pp | ||||
There are two kinds of configuration lines, | There are two kinds of configuration lines, | ||||
.Va local | .Va local | ||||
and | and | ||||
.Va remote . | .Va remote . | ||||
▲ Show 20 Lines • Show All 51 Lines • ▼ Show 20 Lines | .Bd -literal -offset indent | ||||
[<address>|<interface>][/<mask>][:<port>] | [<address>|<interface>][/<mask>][:<port>] | ||||
.Ed | .Ed | ||||
.Pp | .Pp | ||||
The | The | ||||
.Dv address | .Dv address | ||||
can be an IPv4 address in numeric format, an IPv6 address | can be an IPv4 address in numeric format, an IPv6 address | ||||
in numeric format and enclosed by square brackets, or an interface name. | in numeric format and enclosed by square brackets, or an interface name. | ||||
Mask modifiers are not allowed on interfaces because interfaces | Mask modifiers are not allowed on interfaces because interfaces | ||||
have multiple address in different protocols where the mask has a different | can have multiple addresses in different protocols where the mask has a different | ||||
size. | size. | ||||
.Pp | .Pp | ||||
The | The | ||||
.Dv mask | .Dv mask | ||||
is always numeric, but the | is always numeric, but the | ||||
.Dv port | .Dv port | ||||
can be either numeric or symbolic. | can be either numeric or symbolic. | ||||
.Pp | .Pp | ||||
Show All 24 Lines | |||||
starts with a | starts with a | ||||
.Dq - , | .Dq - , | ||||
then the default rulename is prepended to the given name. | then the default rulename is prepended to the given name. | ||||
If the | If the | ||||
.Dv name | .Dv name | ||||
contains a | contains a | ||||
.Dq / , | .Dq / , | ||||
the remaining portion of the name is interpreted as the mask to be | the remaining portion of the name is interpreted as the mask to be | ||||
applied to the address specified in the rule, so one can block whole | applied to the address specified in the rule, causing a single rule violation to | ||||
subnets for a single rule violation. | block the entire subnet for the configured prefix. | ||||
.Pp | .Pp | ||||
The | The | ||||
.Va nfail | .Va nfail | ||||
field contains the number of failed attempts before access is blocked, | field contains the number of failed attempts before access is blocked, | ||||
defaulting to | defaulting to | ||||
.Dq * | .Dq * | ||||
meaning never, and the last field | meaning never, and the last field | ||||
.Va disable | .Va disable | ||||
specifies the amount of time since the last access that the blocking | specifies the amount of time since the last access that the blocking | ||||
rule should be active, defaulting to | rule should be active, defaulting to | ||||
.Dq * | .Dq * | ||||
meaning forever. | meaning forever. | ||||
The default unit for | The default unit for | ||||
.Va disable | .Va disable | ||||
is seconds, but one can specify suffixes for different units, such as | is seconds, but one can specify suffixes for different units, such as | ||||
.Dq m | .Dq m | ||||
for minutes | for minutes | ||||
.Dq h | .Dq h | ||||
for hours and | for hours and | ||||
.Dq d | .Dq d | ||||
for days. | for days. | ||||
.Pp | .Pp | ||||
Matching is done first by checking the | Matching is done first by checking the | ||||
.Va local | .Va local | ||||
rules one by one, from the most specific to the least specific. | rules individually, in the order of the most specific to the least specific. | ||||
If a match is found, then the | If a match is found, then the | ||||
.Va remote | .Va remote | ||||
rules are applied, and if a match is found the | rules are applied. | ||||
The | |||||
.Va name , | .Va name , | ||||
.Va nfail , | .Va nfail , | ||||
and | and | ||||
.Va disable | .Va disable | ||||
fields can be altered by the | fields can be altered by the | ||||
.Va remote | .Va remote | ||||
rule that matched. | rule that matched. | ||||
.Pp | .Pp | ||||
The | The | ||||
.Va remote | .Va remote | ||||
rules can be used for whitelisting specific addresses, changing the mask | rules can be used for whitelisting specific addresses, changing the mask | ||||
size, or the rule that the packet filter uses, the number of failed attempts, | size, the rule that the packet filter uses, the number of failed attempts, | ||||
or the blocked duration. | or the block duration. | ||||
.Sh FILES | .Sh FILES | ||||
.Bl -tag -width /etc/blacklistd.conf -compact | .Bl -tag -width /etc/blacklistd.conf -compact | ||||
.It Pa /etc/blacklistd.conf | .It Pa /etc/blacklistd.conf | ||||
Configuration file. | Configuration file. | ||||
.El | .El | ||||
.Sh EXAMPLES | .Sh EXAMPLES | ||||
.Bd -literal -offset | .Bd -literal -offset 8n | ||||
# Block ssh, after 3 attempts for 6 hours on the bnx0 interface | # Block ssh, after 3 attempts for 6 hours on the bnx0 interface | ||||
[local] | [local] | ||||
# location type proto owner name nfail duration | # location type proto owner name nfail duration | ||||
bnx0:ssh * * * * 3 6h | bnx0:ssh * * * * 3 6h | ||||
[remote] | [remote] | ||||
# Never block 1.2.3.4 | # Never block 1.2.3.4 | ||||
1.2.3.4:ssh * * * * * * | 1.2.3.4:ssh * * * * * * | ||||
# For addresses coming from 8.8.0.0/16 block class C networks instead | # For addresses coming from 8.8.0.0/16 block class C networks instead | ||||
Show All 17 Lines |
"files contains" sounds not right. I guess "contain" is better.