head 1.11; access; symbols netbsd-8-3-RELEASE:1.5.8.1 netbsd-9-4-RELEASE:1.7 netbsd-9-3-RELEASE:1.7 cjep_sun2x:1.11.0.4 cjep_sun2x-base:1.11 cjep_staticlib_x-base1:1.11 netbsd-9-2-RELEASE:1.7 cjep_staticlib_x:1.11.0.2 cjep_staticlib_x-base:1.11 netbsd-9-1-RELEASE:1.7 phil-wifi-20200421:1.9 phil-wifi-20200411:1.9 is-mlppp:1.9.0.2 is-mlppp-base:1.9 phil-wifi-20200406:1.9 netbsd-8-2-RELEASE:1.5.8.1 netbsd-9-0-RELEASE:1.7 netbsd-9-0-RC2:1.7 netbsd-9-0-RC1:1.7 phil-wifi-20191119:1.9 netbsd-9:1.7.0.8 netbsd-9-base:1.7 phil-wifi-20190609:1.7 netbsd-8-1-RELEASE:1.5.8.1 netbsd-8-1-RC1:1.5.8.1 pgoyette-compat-merge-20190127:1.7 pgoyette-compat-20190127:1.7 pgoyette-compat-20190118:1.7 pgoyette-compat-1226:1.7 pgoyette-compat-1126:1.7 pgoyette-compat-1020:1.7 pgoyette-compat-0930:1.7 pgoyette-compat-0906:1.7 netbsd-7-2-RELEASE:1.2.2.3 pgoyette-compat-0728:1.7 netbsd-8-0-RELEASE:1.5.8.1 phil-wifi:1.7.0.6 phil-wifi-base:1.7 pgoyette-compat-0625:1.7 netbsd-8-0-RC2:1.5.8.1 pgoyette-compat-0521:1.7 pgoyette-compat-0502:1.7 pgoyette-compat-0422:1.7 netbsd-8-0-RC1:1.5.8.1 pgoyette-compat-0415:1.7 pgoyette-compat-0407:1.7 pgoyette-compat-0330:1.7 pgoyette-compat-0322:1.7 pgoyette-compat-0315:1.7 netbsd-7-1-2-RELEASE:1.2.2.3 pgoyette-compat:1.7.0.4 pgoyette-compat-base:1.7 netbsd-7-1-1-RELEASE:1.2.2.3 matt-nb8-mediatek:1.5.8.1.0.2 matt-nb8-mediatek-base:1.5.8.1 perseant-stdc-iso10646:1.7.0.2 perseant-stdc-iso10646-base:1.7 netbsd-8:1.5.0.8 netbsd-8-base:1.5 prg-localcount2-base3:1.5 prg-localcount2-base2:1.5 prg-localcount2-base1:1.5 prg-localcount2:1.5.0.6 prg-localcount2-base:1.5 pgoyette-localcount-20170426:1.5 bouyer-socketcan-base1:1.5 pgoyette-localcount-20170320:1.5 netbsd-7-1:1.2.2.3.0.6 netbsd-7-1-RELEASE:1.2.2.3 netbsd-7-1-RC2:1.2.2.3 netbsd-7-nhusb-base-20170116:1.2.2.3 bouyer-socketcan:1.5.0.4 bouyer-socketcan-base:1.5 pgoyette-localcount-20170107:1.5 netbsd-7-1-RC1:1.2.2.3 pgoyette-localcount-20161104:1.5 netbsd-7-0-2-RELEASE:1.2.2.3 localcount-20160914:1.5 netbsd-7-nhusb:1.2.2.3.0.4 netbsd-7-nhusb-base:1.2.2.3 pgoyette-localcount-20160806:1.5 pgoyette-localcount-20160726:1.5 pgoyette-localcount:1.5.0.2 pgoyette-localcount-base:1.5 netbsd-7-0-1-RELEASE:1.2.2.3 netbsd-7-0:1.2.2.3.0.2 netbsd-7-0-RELEASE:1.2.2.3 netbsd-7-0-RC3:1.2.2.3 netbsd-7-0-RC2:1.2.2.3 netbsd-7-0-RC1:1.2.2.3 netbsd-7:1.2.0.2; locks; strict; comment @.\" @; 1.11 date 2020.06.15.01.57.32; author christos; state dead; branches; next 1.10; commitid 1zJ7owqywyzYigcC; 1.10 date 2020.05.19.00.56.25; author christos; state Exp; branches; next 1.9; commitid i8ZVsAwmBULWPM8C; 1.9 date 2019.11.06.20.33.30; author para; state Exp; branches; next 1.8; commitid gYck1tfhP7ifCPJB; 1.8 date 2019.11.06.20.29.41; author para; state Exp; branches; next 1.7; commitid R7faCAdb5C9RAPJB; 1.7 date 2017.06.07.13.50.57; author wiz; state Exp; branches 1.7.6.1; next 1.6; commitid j2FH1BqVP0I4KrUz; 1.6 date 2017.06.05.21.34.58; author sevan; state Exp; branches; next 1.5; commitid A75Zq4qiLjO2neUz; 1.5 date 2016.06.08.12.48.37; author wiz; state Exp; branches 1.5.8.1; next 1.4; commitid TUCfD9y88hi26F9z; 1.4 date 2016.06.07.17.31.02; author christos; state Exp; branches; next 1.3; commitid 6XLfUxs1a3kQGy9z; 1.3 date 2015.04.30.06.20.43; author riz; state Exp; branches; next 1.2; commitid xEXM8DRddhf0Yzjy; 1.2 date 2015.01.28.07.32.28; author wiz; state Exp; branches 1.2.2.1; next 1.1; commitid FuCwxQGizrO5kL7y; 1.1 date 2015.01.27.19.40.36; author christos; state Exp; branches; next ; commitid UxRnuNPOLHIbnH7y; 1.7.6.1 date 2020.04.13.07.45.49; author martin; state Exp; branches; next ; commitid X01YhRUPVUDaec4C; 1.5.8.1 date 2017.06.06.09.30.24; author martin; state Exp; branches; next ; commitid xPpupEELovRFkiUz; 1.2.2.1 date 2015.01.28.07.32.28; author riz; state dead; branches; next 1.2.2.2; commitid HvseHc4xVzxnTzjy; 1.2.2.2 date 2015.04.30.06.07.33; author riz; state Exp; branches; next 1.2.2.3; commitid HvseHc4xVzxnTzjy; 1.2.2.3 date 2015.04.30.19.37.38; author snj; state Exp; branches; next ; commitid MP1lTORBe0ysnEjy; desc @@ 1.11 log @Rename blacklist -> blocklist @ text @.\" $NetBSD: blacklistd.conf.5,v 1.10 2020/05/19 00:56:25 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This code is derived from software contributed to The NetBSD Foundation .\" by Christos Zoulas. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" .Dd May 18, 2020 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME .Nm blacklistd.conf .Nd configuration file format for blacklistd .Sh DESCRIPTION The .Nm file contains configuration entries for .Xr blacklistd 8 in a fashion similar to .Xr inetd.conf 5 . Only one entry per line is permitted. Every entry must have all fields populated. Each field can be separated by a tab or a space. Comments are denoted by a .Dq # at the beginning of a line. .Pp There are two kinds of configuration lines, .Va local and .Va remote . By default, configuration lines are .Va local , i.e. the address specified refers to the addresses on the local machine. To switch to between .Va local and .Va remote configuration lines you can specify the stanzas: .Dq [local] and .Dq [remote] . .Pp On .Va local and .Va remote lines .Dq * means use the default, or wildcard match. In addition, for .Va remote lines .Dq = means use the values from the matched .Va local configuration line. .Pp The first four fields, .Va location , .Va type , .Va proto , and .Va owner are used to match the .Va local or .Va remote addresses, whereas the last 3 fields .Va name , .Va nfail , and .Va disable are used to modify the filtering action. .Pp The first field denotes the .Va location as an address, mask, and port. The syntax for the .Va location is: .Bd -literal -offset indent [
|][/][:] .Ed .Pp The .Dv address can be an IPv4 address in numeric format, an IPv6 address in numeric format and enclosed by square brackets, or an interface name. Mask modifiers are not allowed on interfaces because interfaces can have multiple addresses in different protocols where the mask has a different size. .Pp The .Dv mask is always numeric, but the .Dv port can be either numeric or symbolic. .Pp The second field is the socket .Va type : .Dv stream , .Dv dgram , or numeric. The third field is the .Va protocol : .Dv tcp , .Dv udp , .Dv tcp6 , .Dv udp6 , or numeric. The fourth field is the effective user .Va ( owner ) of the daemon process reporting the event, either as a username or a userid. .Pp The rest of the fields control the behavior of the filter. .Pp The .Va name field, is the name of the packet filter rule to be used. If the .Va name starts with a .Dq - , then the default rulename is prepended to the given name. If the .Dv name contains a .Dq / , the remaining portion of the name is interpreted as the mask to be applied to the address specified in the rule, causing a single rule violation to block the entire subnet for the configured prefix. .Pp The .Va nfail field contains the number of failed attempts before access is blocked, defaulting to .Dq * meaning never, and the last field .Va disable specifies the amount of time since the last access that the blocking rule should be active, defaulting to .Dq * meaning forever. The default unit for .Va disable is seconds, but one can specify suffixes for different units, such as .Dq m for minutes .Dq h for hours and .Dq d for days. .Pp Matching is done first by checking the .Va local rules individually, in the order of the most specific to the least specific. If a match is found, then the .Va remote rules are applied. The .Va name , .Va nfail , and .Va disable fields can be altered by the .Va remote rule that matched. .Pp The .Va remote rules can be used for whitelisting specific addresses, changing the mask size, the rule that the packet filter uses, the number of failed attempts, or the block duration. .Sh FILES .Bl -tag -width /etc/blacklistd.conf -compact .It Pa /etc/blacklistd.conf Configuration file. .El .Sh EXAMPLES .Bd -literal -offset 8n # Block ssh, after 3 attempts for 6 hours on the bnx0 interface [local] # location type proto owner name nfail duration bnx0:ssh * * * * 3 6h [remote] # Never block 1.2.3.4 1.2.3.4:ssh * * * * * * # For addresses coming from 8.8.0.0/16 block class C networks instead # individual hosts, but keep the rest of the blocking parameters the same. 8.8.0.0/16:ssh * * * /24 = = .Ed .Sh SEE ALSO .Xr blacklistctl 8 , .Xr blacklistd 8 .Sh HISTORY .Nm first appeared in .Nx 7 . .Fx support for .Nm was implemented in .Fx 11 . .Sh AUTHORS .An Christos Zoulas @ 1.10 log @Typo fixes from FreeBSD via Ed Maste @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.9 2019/11/06 20:33:30 para Exp $ @ 1.9 log @fix stupid typo... @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.8 2019/11/06 20:29:41 para Exp $ d30 1 a30 1 .Dd June 5, 2017 d128 1 a128 1 .Va prococol : d134 1 a134 1 The fourth file is the effective user d139 1 a139 1 The rest of the fields are controlling the behavior of the filter. @ 1.8 log @blacklistd.conf.5: pluralization fix (as currently comitted in FreeBSD) @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $ d39 1 a39 1 files contain configuration entries for @ 1.7 log @Add missing argument to macro. @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.6 2017/06/05 21:34:58 sevan Exp $ d39 1 a39 1 files contains configuration entries for @ 1.7.6.1 log @Mostly merge changes from HEAD upto 20200411 @ text @d1 1 a1 1 .\" $NetBSD$ d39 1 a39 1 file contains configuration entries for @ 1.6 log @Improve wording. Bump date. ok christos @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $ d204 1 a204 1 .Bd -literal -offset @ 1.5 log @.Fx should only have version numbers as argument. @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.4 2016/06/07 17:31:02 christos Exp $ d30 1 a30 1 .Dd June 7, 2016 d39 3 a41 3 files contains configuration lines for .Xr blacklistd 8 . It contains one entry per line, and is similar to d43 3 a45 2 There must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space. d113 1 a113 1 have multiple address in different protocols where the mask has a different d154 2 a155 2 applied to the address specified in the rule, so one can block whole subnets for a single rule violation. d180 1 a180 1 rules one by one, from the most specific to the least specific. d183 2 a184 1 rules are applied, and if a match is found the d196 2 a197 2 size, or the rule that the packet filter uses, the number of failed attempts, or the blocked duration. @ 1.5.8.1 log @Pull up following revision(s) (requested by sevan in ticket #12): external/bsd/blacklist/bin/blacklistd.conf.5: revision 1.6 Improve wording. Bump date. ok christos @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $ d30 1 a30 1 .Dd June 5, 2017 d39 3 a41 3 files contains configuration entries for .Xr blacklistd 8 in a fashion similar to d43 2 a44 3 Only one entry per line is permitted. Every entry must have all fields populated. Each field can be separated by a tab or a space. d112 1 a112 1 can have multiple addresses in different protocols where the mask has a different d153 2 a154 2 applied to the address specified in the rule, causing a single rule violation to block the entire subnet for the configured prefix. d179 1 a179 1 rules individually, in the order of the most specific to the least specific. d182 1 a182 2 rules are applied. The d194 2 a195 2 size, the rule that the packet filter uses, the number of failed attempts, or the block duration. @ 1.4 log @Add FreeBSD release notes (Kurt Lidl) @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.3 2015/04/30 06:20:43 riz Exp $ d221 2 a222 1 .Fx support for @ 1.3 log @blacklistd and friends will actually be in NetBSD 7. @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.2 2015/01/28 07:32:28 wiz Exp $ d30 1 a30 1 .Dd April 29, 2015 d219 1 a219 1 appeared in d221 4 @ 1.2 log @Sort SEE ALSO. Nit fixes. @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.1 2015/01/27 19:40:36 christos Exp $ d30 1 a30 1 .Dd January 25, 2015 d220 1 a220 1 .Nx 8 . @ 1.2.2.1 log @file blacklistd.conf.5 was added on branch netbsd-7 on 2015-04-30 06:07:33 +0000 @ text @d1 222 @ 1.2.2.2 log @Pull up blacklistd(8), requested by christos in ticket #711: crypto/external/bsd/openssh/dist/moduli-gen/Makefile up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli-gen.sh up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.1024 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.1536 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.2048 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.3072 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.4096 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.6144 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.7680 up to 1.1.1.1 crypto/external/bsd/openssh/dist/moduli-gen/moduli.8192 up to 1.1.1.1 crypto/external/bsd/openssh/dist/bcrypt_pbkdf.c up to 1.2 crypto/external/bsd/openssh/dist/kexc25519.c up to 1.3 crypto/external/bsd/openssh/dist/smult_curve25519_ref.c up to 1.3 crypto/external/bsd/openssh/dist/bitmap.c up to 1.2 plus patch crypto/external/bsd/openssh/dist/PROTOCOL.chacha20poly1305 up to 1.1.1.1 crypto/external/bsd/openssh/dist/PROTOCOL.key up to 1.1.1.1 crypto/external/bsd/openssh/dist/blf.h up to 1.1 crypto/external/bsd/openssh/dist/blocks.c up to 1.3 crypto/external/bsd/openssh/dist/blowfish.c up to 1.2 crypto/external/bsd/openssh/dist/chacha.c up to 1.3 crypto/external/bsd/openssh/dist/chacha.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/cipher-aesctr.c up to 1.1.1.2 crypto/external/bsd/openssh/dist/cipher-aesctr.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/cipher-chachapoly.c up to 1.3 crypto/external/bsd/openssh/dist/cipher-chachapoly.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/crypto_api.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/digest-libc.c up to 1.3 crypto/external/bsd/openssh/dist/digest-openssl.c up to 1.3 crypto/external/bsd/openssh/dist/digest.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/ed25519.c up to 1.3 crypto/external/bsd/openssh/dist/fe25519.c up to 1.3 crypto/external/bsd/openssh/dist/fe25519.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ge25519.c up to 1.3 crypto/external/bsd/openssh/dist/ge25519.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/ge25519_base.data up to 1.1.1.1 crypto/external/bsd/openssh/dist/hash.c up to 1.3 crypto/external/bsd/openssh/dist/hmac.c up to 1.3 crypto/external/bsd/openssh/dist/hmac.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/kexc25519c.c up to 1.3 crypto/external/bsd/openssh/dist/kexc25519s.c up to 1.3 crypto/external/bsd/openssh/dist/poly1305.c up to 1.3 crypto/external/bsd/openssh/dist/poly1305.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/rijndael.c up to 1.1.1.2 crypto/external/bsd/openssh/dist/rijndael.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/sc25519.c up to 1.3 crypto/external/bsd/openssh/dist/sc25519.h up to 1.1.1.1 crypto/external/bsd/openssh/dist/ssh-ed25519.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-getput-basic.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-getput-crypto.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf-misc.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf.c up to 1.3 crypto/external/bsd/openssh/dist/sshbuf.h up to 1.4 crypto/external/bsd/openssh/dist/ssherr.c up to 1.3 crypto/external/bsd/openssh/dist/ssherr.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/sshkey.c up to 1.3 crypto/external/bsd/openssh/dist/sshkey.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/verify.c up to 1.3 crypto/external/bsd/openssh/dist/opacket.c up to 1.2 crypto/external/bsd/openssh/dist/umac128.c up to 1.1 crypto/external/bsd/openssh/dist/pfilter.c up to 1.2 crypto/external/bsd/openssh/dist/pfilter.h up to 1.1 crypto/external/bsd/openssh/dist/bitmap.h up to 1.2 crypto/external/bsd/openssh/dist/opacket.h up to 1.2 crypto/external/bsd/openssh/dist/ssh_api.c up to 1.2 crypto/external/bsd/openssh/dist/ssh_api.h up to 1.2 crypto/external/bsd/openssh/dist/auth2-jpake.c delete crypto/external/bsd/openssh/dist/compress.c delete crypto/external/bsd/openssh/dist/compress.h delete crypto/external/bsd/openssh/dist/jpake.c delete crypto/external/bsd/openssh/dist/jpake.h delete crypto/external/bsd/openssh/dist/schnorr.c delete crypto/external/bsd/openssh/dist/schnorr.h delete crypto/external/bsd/openssh/dist/strtonum.c 1.1 crypto/external/bsd/openssh/Makefile.inc up to 1.8 crypto/external/bsd/openssh/bin/Makefile.inc up to 1.3 crypto/external/bsd/openssh/bin/ssh-keyscan/Makefile up to 1.2 crypto/external/bsd/openssh/bin/sshd/Makefile up to 1.12 crypto/external/bsd/openssh/dist/PROTOCOL up to 1.5 crypto/external/bsd/openssh/dist/PROTOCOL.krl up to 1.1.1.2 crypto/external/bsd/openssh/dist/addrmatch.c up to 1.8 crypto/external/bsd/openssh/dist/atomicio.c up to 1.6 crypto/external/bsd/openssh/dist/auth-bsdauth.c up to 1.4 crypto/external/bsd/openssh/dist/auth-chall.c up to 1.6 crypto/external/bsd/openssh/dist/auth-krb5.c up to 1.7 crypto/external/bsd/openssh/dist/auth-options.c up to 1.9 crypto/external/bsd/openssh/dist/auth-options.h up to 1.6 crypto/external/bsd/openssh/dist/auth-passwd.c up to 1.4 crypto/external/bsd/openssh/dist/auth-rh-rsa.c up to 1.6 crypto/external/bsd/openssh/dist/auth-rhosts.c up to 1.5 crypto/external/bsd/openssh/dist/auth-rsa.c up to 1.10 crypto/external/bsd/openssh/dist/auth.c up to 1.12 crypto/external/bsd/openssh/dist/auth.h up to 1.10 crypto/external/bsd/openssh/dist/auth1.c up to 1.11 crypto/external/bsd/openssh/dist/auth2-chall.c up to 1.7 crypto/external/bsd/openssh/dist/auth2-gss.c up to 1.8 crypto/external/bsd/openssh/dist/auth2-hostbased.c up to 1.7 crypto/external/bsd/openssh/dist/auth2-kbdint.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-krb5.c up to 1.4 crypto/external/bsd/openssh/dist/auth2-none.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-passwd.c up to 1.5 crypto/external/bsd/openssh/dist/auth2-pubkey.c up to 1.11 crypto/external/bsd/openssh/dist/auth2.c up to 1.11 crypto/external/bsd/openssh/dist/authfd.c up to 1.8 crypto/external/bsd/openssh/dist/authfd.h up to 1.5 crypto/external/bsd/openssh/dist/authfile.c up to 1.10 crypto/external/bsd/openssh/dist/authfile.h up to 1.6 crypto/external/bsd/openssh/dist/bufaux.c up to 1.7 crypto/external/bsd/openssh/dist/bufbn.c up to 1.5 crypto/external/bsd/openssh/dist/bufec.c up to 1.5 crypto/external/bsd/openssh/dist/buffer.c up to 1.6 crypto/external/bsd/openssh/dist/buffer.h up to 1.7 crypto/external/bsd/openssh/dist/canohost.c up to 1.8 crypto/external/bsd/openssh/dist/channels.c up to 1.13 crypto/external/bsd/openssh/dist/channels.h up to 1.10 crypto/external/bsd/openssh/dist/cipher-3des1.c up to 1.7 crypto/external/bsd/openssh/dist/cipher-bf1.c up to 1.6 crypto/external/bsd/openssh/dist/cipher.c up to 1.7 crypto/external/bsd/openssh/dist/cipher.h up to 1.7 crypto/external/bsd/openssh/dist/clientloop.c up to 1.13 crypto/external/bsd/openssh/dist/compat.c up to 1.9 crypto/external/bsd/openssh/dist/compat.h up to 1.6 crypto/external/bsd/openssh/dist/deattack.c up to 1.4 crypto/external/bsd/openssh/dist/deattack.h up to 1.4 crypto/external/bsd/openssh/dist/dh.c up to 1.8 crypto/external/bsd/openssh/dist/dh.h up to 1.4 crypto/external/bsd/openssh/dist/dispatch.c up to 1.5 crypto/external/bsd/openssh/dist/dispatch.h up to 1.4 crypto/external/bsd/openssh/dist/dns.c up to 1.11 crypto/external/bsd/openssh/dist/dns.h up to 1.6 crypto/external/bsd/openssh/dist/groupaccess.c up to 1.5 crypto/external/bsd/openssh/dist/gss-genr.c up to 1.7 crypto/external/bsd/openssh/dist/gss-serv-krb5.c up to 1.8 crypto/external/bsd/openssh/dist/gss-serv.c up to 1.7 crypto/external/bsd/openssh/dist/hostfile.c up to 1.7 crypto/external/bsd/openssh/dist/hostfile.h up to 1.7 crypto/external/bsd/openssh/dist/includes.h up to 1.4 crypto/external/bsd/openssh/dist/kex.c up to 1.10 crypto/external/bsd/openssh/dist/kex.h up to 1.9 crypto/external/bsd/openssh/dist/kexdh.c up to 1.4 crypto/external/bsd/openssh/dist/kexdhc.c up to 1.6 crypto/external/bsd/openssh/dist/kexdhs.c up to 1.8 crypto/external/bsd/openssh/dist/kexecdh.c up to 1.5 crypto/external/bsd/openssh/dist/kexecdhc.c up to 1.5 crypto/external/bsd/openssh/dist/kexecdhs.c up to 1.5 crypto/external/bsd/openssh/dist/kexgex.c up to 1.4 crypto/external/bsd/openssh/dist/kexgexc.c up to 1.6 crypto/external/bsd/openssh/dist/kexgexs.c up to 1.8 crypto/external/bsd/openssh/dist/key.c up to 1.16 crypto/external/bsd/openssh/dist/key.h up to 1.9 crypto/external/bsd/openssh/dist/krl.c up to 1.5 crypto/external/bsd/openssh/dist/krl.h up to 1.1.1.2 crypto/external/bsd/openssh/dist/mac.c up to 1.11 crypto/external/bsd/openssh/dist/mac.h up to 1.5 crypto/external/bsd/openssh/dist/match.c up to 1.5 crypto/external/bsd/openssh/dist/misc.c up to 1.10 crypto/external/bsd/openssh/dist/misc.h up to 1.9 plus patch crypto/external/bsd/openssh/dist/moduli.c up to 1.8 crypto/external/bsd/openssh/dist/monitor.c up to 1.14 crypto/external/bsd/openssh/dist/monitor.h up to 1.7 crypto/external/bsd/openssh/dist/monitor_fdpass.c up to 1.5 crypto/external/bsd/openssh/dist/monitor_mm.c up to 1.6 crypto/external/bsd/openssh/dist/monitor_mm.h up to 1.4 crypto/external/bsd/openssh/dist/monitor_wrap.c up to 1.11 crypto/external/bsd/openssh/dist/monitor_wrap.h up to 1.8 crypto/external/bsd/openssh/dist/msg.c up to 1.4 crypto/external/bsd/openssh/dist/msg.h up to 1.4 crypto/external/bsd/openssh/dist/mux.c up to 1.11 crypto/external/bsd/openssh/dist/myproposal.h up to 1.10 crypto/external/bsd/openssh/dist/namespace.h up to 1.5 crypto/external/bsd/openssh/dist/packet.c up to 1.18 crypto/external/bsd/openssh/dist/packet.h up to 1.11 crypto/external/bsd/openssh/dist/pathnames.h up to 1.9 crypto/external/bsd/openssh/dist/pkcs11.h up to 1.4 crypto/external/bsd/openssh/dist/progressmeter.c up to 1.7 crypto/external/bsd/openssh/dist/progressmeter.h up to 1.4 crypto/external/bsd/openssh/dist/reallocarray.c new crypto/external/bsd/openssh/dist/readconf.c up to 1.13 crypto/external/bsd/openssh/dist/readconf.h up to 1.12 crypto/external/bsd/openssh/dist/readpass.c up to 1.6 crypto/external/bsd/openssh/dist/roaming_client.c up to 1.7 crypto/external/bsd/openssh/dist/roaming_common.c up to 1.9 crypto/external/bsd/openssh/dist/roaming_dummy.c up to 1.4 crypto/external/bsd/openssh/dist/rsa.c up to 1.5 crypto/external/bsd/openssh/dist/rsa.h up to 1.4 crypto/external/bsd/openssh/dist/sandbox-systrace.c up to 1.1.1.5 crypto/external/bsd/openssh/dist/scp.1 up to 1.9 crypto/external/bsd/openssh/dist/scp.c up to 1.11 crypto/external/bsd/openssh/dist/servconf.c up to 1.17 crypto/external/bsd/openssh/dist/servconf.h up to 1.11 crypto/external/bsd/openssh/dist/serverloop.c up to 1.12 crypto/external/bsd/openssh/dist/session.c up to 1.14 crypto/external/bsd/openssh/dist/session.h up to 1.4 crypto/external/bsd/openssh/dist/sftp-client.c up to 1.13 crypto/external/bsd/openssh/dist/sftp-client.h up to 1.7 crypto/external/bsd/openssh/dist/sftp-common.c up to 1.7 crypto/external/bsd/openssh/dist/sftp-common.h up to 1.5 crypto/external/bsd/openssh/dist/sftp-glob.c up to 1.8 crypto/external/bsd/openssh/dist/sftp-server.8 up to 1.9 crypto/external/bsd/openssh/dist/sftp-server.c up to 1.11 crypto/external/bsd/openssh/dist/sftp.1 up to 1.11 crypto/external/bsd/openssh/dist/sftp.c up to 1.15 crypto/external/bsd/openssh/dist/ssh-add.1 up to 1.9 crypto/external/bsd/openssh/dist/ssh-add.c up to 1.10 crypto/external/bsd/openssh/dist/ssh-agent.1 up to 1.8 crypto/external/bsd/openssh/dist/ssh-agent.c up to 1.14 crypto/external/bsd/openssh/dist/ssh-dss.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-ecdsa.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-gss.h up to 1.5 crypto/external/bsd/openssh/dist/ssh-keygen.1 up to 1.13 crypto/external/bsd/openssh/dist/ssh-keygen.c up to 1.16 crypto/external/bsd/openssh/dist/ssh-keyscan.1 up to 1.10 crypto/external/bsd/openssh/dist/ssh-keyscan.c up to 1.13 crypto/external/bsd/openssh/dist/ssh-keysign.8 up to 1.9 crypto/external/bsd/openssh/dist/ssh-keysign.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-pkcs11-client.c up to 1.6 crypto/external/bsd/openssh/dist/ssh-pkcs11-helper.c up to 1.8 crypto/external/bsd/openssh/dist/ssh-pkcs11.c up to 1.7 crypto/external/bsd/openssh/dist/ssh-pkcs11.h up to 1.4 crypto/external/bsd/openssh/dist/ssh-rsa.c up to 1.7 crypto/external/bsd/openssh/dist/ssh.1 up to 1.14 crypto/external/bsd/openssh/dist/ssh.c up to 1.16 crypto/external/bsd/openssh/dist/ssh2.h up to 1.6 crypto/external/bsd/openssh/dist/ssh_config up to 1.8 crypto/external/bsd/openssh/dist/ssh_config.5 up to 1.13 crypto/external/bsd/openssh/dist/sshconnect.c up to 1.11 crypto/external/bsd/openssh/dist/sshconnect.h up to 1.6 crypto/external/bsd/openssh/dist/sshconnect1.c up to 1.6 crypto/external/bsd/openssh/dist/sshconnect2.c up to 1.19 crypto/external/bsd/openssh/dist/sshd.8 up to 1.13 crypto/external/bsd/openssh/dist/sshd.c up to 1.18 crypto/external/bsd/openssh/dist/sshd_config up to 1.13 crypto/external/bsd/openssh/dist/sshd_config.5 up to 1.17 crypto/external/bsd/openssh/dist/sshlogin.c up to 1.6 crypto/external/bsd/openssh/dist/sshpty.c up to 1.4 crypto/external/bsd/openssh/dist/uidswap.c up to 1.4 crypto/external/bsd/openssh/dist/umac.c up to 1.9 crypto/external/bsd/openssh/dist/version.h up to 1.14 crypto/external/bsd/openssh/dist/xmalloc.c up to 1.5 crypto/external/bsd/openssh/lib/Makefile up to 1.17 plus patch crypto/external/bsd/openssh/lib/shlib_version up to 1.13 distrib/sets/lists/base/ad.aarch64 patch distrib/sets/lists/base/ad.arm patch distrib/sets/lists/base/ad.mips patch distrib/sets/lists/base/ad.powerpc patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/mi patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/comp/ad.aarch64 patch distrib/sets/lists/comp/ad.arm patch distrib/sets/lists/comp/ad.mips patch distrib/sets/lists/comp/ad.powerpc patch distrib/sets/lists/comp/md.amd64 patch distrib/sets/lists/comp/md.sparc64 patch distrib/sets/lists/comp/mi patch distrib/sets/lists/comp/shl.mi patch distrib/sets/lists/debug/ad.aarch64 patch distrib/sets/lists/debug/ad.arm patch distrib/sets/lists/debug/ad.mips patch distrib/sets/lists/debug/ad.powerpc patch distrib/sets/lists/debug/md.amd64 patch distrib/sets/lists/debug/md.sparc64 patch distrib/sets/lists/debug/shl.mi patch distrib/sets/lists/etc/mi patch distrib/sets/lists/man/mi patch etc/defaults/rc.conf 1.130 etc/mtree/NetBSD.dist.base 1.142 external/bsd/Makefile up to 1.48 external/bsd/blacklist/bin/Makefile up to 1.11 plus patch external/bsd/blacklist/bin/blacklistctl.8 up to 1.6 external/bsd/blacklist/bin/blacklistctl.c up to 1.17 external/bsd/blacklist/bin/blacklistd.8 up to 1.10 external/bsd/blacklist/bin/blacklistd.c up to 1.32 external/bsd/blacklist/bin/blacklistd.conf.5 up to 1.2 external/bsd/blacklist/bin/conf.c up to 1.18 external/bsd/blacklist/bin/conf.h up to 1.6 external/bsd/blacklist/bin/internal.c up to 1.5 external/bsd/blacklist/bin/internal.h up to 1.12 external/bsd/blacklist/bin/run.c up to 1.12 external/bsd/blacklist/bin/run.h up to 1.5 external/bsd/blacklist/bin/state.c up to 1.15 external/bsd/blacklist/bin/state.h up to 1.5 external/bsd/blacklist/bin/support.c up to 1.6 external/bsd/blacklist/bin/support.h up to 1.5 external/bsd/blacklist/etc/rc.d/Makefile up to 1.1 external/bsd/blacklist/etc/rc.d/blacklistd up to 1.1 external/bsd/blacklist/etc/Makefile up to 1.3 external/bsd/blacklist/etc/blacklistd.conf up to 1.3 external/bsd/blacklist/etc/npf.conf up to 1.1 external/bsd/blacklist/Makefile up to 1.2 external/bsd/blacklist/Makefile.inc up to 1.3 external/bsd/blacklist/README up to 1.7 external/bsd/blacklist/TODO up to 1.7 external/bsd/blacklist/diff/ftpd.diff up to 1.1 external/bsd/blacklist/diff/named.diff up to 1.6 external/bsd/blacklist/diff/ssh.diff up to 1.6 external/bsd/blacklist/include/Makefile up to 1.1 external/bsd/blacklist/include/bl.h up to 1.12 external/bsd/blacklist/include/blacklist.h up to 1.3 external/bsd/blacklist/include/config.h new external/bsd/blacklist/lib/Makefile up to 1.3 external/bsd/blacklist/lib/bl.c up to 1.24 external/bsd/blacklist/lib/blacklist.c up to 1.5 external/bsd/blacklist/lib/libblacklist.3 up to 1.3 external/bsd/blacklist/lib/shlib_version up to 1.1 external/bsd/blacklist/libexec/Makefile up to 1.1 external/bsd/blacklist/libexec/blacklistd-helper up to 1.4 external/bsd/blacklist/port/m4/.cvsignore up to 1.1 external/bsd/blacklist/port/Makefile.am up to 1.4 external/bsd/blacklist/port/_strtoi.h up to 1.1 external/bsd/blacklist/port/clock_gettime.c up to 1.2 external/bsd/blacklist/port/configure.ac up to 1.7 external/bsd/blacklist/port/fgetln.c up to 1.1 external/bsd/blacklist/port/fparseln.c up to 1.1 external/bsd/blacklist/port/getprogname.c up to 1.4 external/bsd/blacklist/port/pidfile.c up to 1.1 external/bsd/blacklist/port/popenve.c up to 1.2 external/bsd/blacklist/port/port.h up to 1.6 external/bsd/blacklist/port/sockaddr_snprintf.c up to 1.9 external/bsd/blacklist/port/strlcat.c up to 1.2 external/bsd/blacklist/port/strlcpy.c up to 1.2 external/bsd/blacklist/port/strtoi.c up to 1.3 external/bsd/blacklist/test/Makefile up to 1.2 external/bsd/blacklist/test/cltest.c up to 1.6 external/bsd/blacklist/test/srvtest.c up to 1.9 lib/libpam/modules/pam_ssh/pam_ssh.c up to 1.23 libexec/ftpd/pfilter.c up to 1.1 libexec/ftpd/pfilter.h up to 1.1 libexec/ftpd/Makefile up to 1.64 libexec/ftpd/ftpd.c up to 1.201 Add blacklistd(8), a daemon to block and release network ports on demand to mitigate abuse, and related changes to system daemons to support it. [christos, ticket #711] @ text @a0 222 .\" $NetBSD: blacklistd.conf.5,v 1.2 2015/01/28 07:32:28 wiz Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This code is derived from software contributed to The NetBSD Foundation .\" by Christos Zoulas. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" .Dd January 25, 2015 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME .Nm blacklistd.conf .Nd configuration file format for blacklistd .Sh DESCRIPTION The .Nm files contains configuration lines for .Xr blacklistd 8 . It contains one entry per line, and is similar to .Xr inetd.conf 5 . There must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space. Comments are denoted by a .Dq # at the beginning of a line. .Pp There are two kinds of configuration lines, .Va local and .Va remote . By default, configuration lines are .Va local , i.e. the address specified refers to the addresses on the local machine. To switch to between .Va local and .Va remote configuration lines you can specify the stanzas: .Dq [local] and .Dq [remote] . .Pp On .Va local and .Va remote lines .Dq * means use the default, or wildcard match. In addition, for .Va remote lines .Dq = means use the values from the matched .Va local configuration line. .Pp The first four fields, .Va location , .Va type , .Va proto , and .Va owner are used to match the .Va local or .Va remote addresses, whereas the last 3 fields .Va name , .Va nfail , and .Va disable are used to modify the filtering action. .Pp The first field denotes the .Va location as an address, mask, and port. The syntax for the .Va location is: .Bd -literal -offset indent [
|][/][:] .Ed .Pp The .Dv address can be an IPv4 address in numeric format, an IPv6 address in numeric format and enclosed by square brackets, or an interface name. Mask modifiers are not allowed on interfaces because interfaces have multiple address in different protocols where the mask has a different size. .Pp The .Dv mask is always numeric, but the .Dv port can be either numeric or symbolic. .Pp The second field is the socket .Va type : .Dv stream , .Dv dgram , or numeric. The third field is the .Va prococol : .Dv tcp , .Dv udp , .Dv tcp6 , .Dv udp6 , or numeric. The fourth file is the effective user .Va ( owner ) of the daemon process reporting the event, either as a username or a userid. .Pp The rest of the fields are controlling the behavior of the filter. .Pp The .Va name field, is the name of the packet filter rule to be used. If the .Va name starts with a .Dq - , then the default rulename is prepended to the given name. If the .Dv name contains a .Dq / , the remaining portion of the name is interpreted as the mask to be applied to the address specified in the rule, so one can block whole subnets for a single rule violation. .Pp The .Va nfail field contains the number of failed attempts before access is blocked, defaulting to .Dq * meaning never, and the last field .Va disable specifies the amount of time since the last access that the blocking rule should be active, defaulting to .Dq * meaning forever. The default unit for .Va disable is seconds, but one can specify suffixes for different units, such as .Dq m for minutes .Dq h for hours and .Dq d for days. .Pp Matching is done first by checking the .Va local rules one by one, from the most specific to the least specific. If a match is found, then the .Va remote rules are applied, and if a match is found the .Va name , .Va nfail , and .Va disable fields can be altered by the .Va remote rule that matched. .Pp The .Va remote rules can be used for whitelisting specific addresses, changing the mask size, or the rule that the packet filter uses, the number of failed attempts, or the blocked duration. .Sh FILES .Bl -tag -width /etc/blacklistd.conf -compact .It Pa /etc/blacklistd.conf Configuration file. .El .Sh EXAMPLES .Bd -literal -offset # Block ssh, after 3 attempts for 6 hours on the bnx0 interface [local] # location type proto owner name nfail duration bnx0:ssh * * * * 3 6h [remote] # Never block 1.2.3.4 1.2.3.4:ssh * * * * * * # For addresses coming from 8.8.0.0/16 block class C networks instead # individual hosts, but keep the rest of the blocking parameters the same. 8.8.0.0/16:ssh * * * /24 = = .Ed .Sh SEE ALSO .Xr blacklistctl 8 , .Xr blacklistd 8 .Sh HISTORY .Nm appeared in .Nx 8 . .Sh AUTHORS .An Christos Zoulas @ 1.2.2.3 log @Pull up following revision(s) (requested by riz in ticket #726): external/bsd/blacklist/bin/blacklistctl.8: revision 1.7 external/bsd/blacklist/bin/blacklistd.8: revision 1.11 external/bsd/blacklist/bin/blacklistd.conf.5: revision 1.3 blacklistd and friends will actually be in NetBSD 7. @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.conf.5,v 1.2.2.2 2015/04/30 06:07:33 riz Exp $ d30 1 a30 1 .Dd April 29, 2015 d220 1 a220 1 .Nx 7 . @ 1.1 log @- separate man page for blacklistd and blacklistd.conf, requested by wiz@@ - allow separate configurations for local and remote addresses, implementing effectively whitelists, requested by dh@@ - allow the mask of the filter to be specified, requested by dh@@ - the db file format has been changed to accommodate these changes, and needs to be removed. @ text @d1 1 a1 1 .\" $NetBSD: blacklistd.8,v 1.8 2015/01/25 23:07:16 wiz Exp $ d90 1 a90 1 addresses whereas, the last 3 fields d103 1 a103 1 .Bd -literal -offset indent: d133 2 a134 2 The fourth file is the effective user ( .Va owner ) d143 1 a143 1 If the d215 2 a216 2 .Xr blacklistd 8 , .Xr blacklistctl 8 @