FreeBSD Manual Pages

home | help
BLOCKLISTD.CONF(5)	      File Formats Manual	    BLOCKLISTD.CONF(5)

NAME
       blocklistd.conf -- configuration	file format for	blocklistd

DESCRIPTION
       The   blocklistd.conf   file   contains	 configuration	 entries   for
       blocklistd(8) in	a fashion similar to inetd.conf(5).   Only  one	 entry
       per  line  is  permitted.   Every entry must have all fields populated.
       Each field can be separated by a	tab or a space.	 Comments are  denoted
       by a "#"	at the beginning of a line.

       There  are  two kinds of	configuration lines, [local] and [remote].  By
       default,	configuration lines are	[local], i.e.  the  address  specified
       refers  to  the	addresses  on the local	machine.  To switch to between
       [local] and [remote] configuration lines	you can	specify	 the  stanzas:
       "[local]" and "[remote]".

       On  [local]  and	 [remote] lines	"*" means use the default, or wildcard
       match.  In addition, for	[remote] lines "=" means use the  values  from
       the matched [local] configuration line.

       The  first  four	 fields,  location, type, proto, and owner are used to
       match the [local] or [remote] addresses,	 whereas  the  last  3	fields
       name, nfail, and	disable	are used to modify the filtering action.

       The  first  field  denotes  the location	as an address, mask, and port.
       The syntax for the location is:

		     [<address>|<interface>][/<mask>][:<port>]

       The address can be an IPv4 address in numeric format, an	 IPv6  address
       in  numeric  format  and	 enclosed  by square brackets, or an interface
       name.  Mask modifiers are not allowed on	interfaces because  interfaces
       can have	multiple addresses in different	protocols where	the mask has a
       different size.

       The  mask is always numeric, but	the port can be	either numeric or sym-
       bolic.

       The second field	is the socket type: stream, dgram,  or	numeric.   The
       third  field  is	 the  protocol:	tcp, udp, tcp6,	udp6, or numeric.  The
       fourth field is the effective user (owner) of the  daemon  process  re-
       porting the event, either as a username or a userid.

       The rest	of the fields control the behavior of the filter.

       The  name  field, is the	name of	the packet filter rule to be used.  If
       the name	starts with a hyphen  ("-"),  then  the	 default  rulename  is
       prepended to the	given name.  If	the name contains a "/", the remaining
       portion of the name is interpreted as the mask to be applied to the ad-
       dress  specified	 in the	rule, causing a	single rule violation to block
       the entire subnet for the configured prefix.

       The nfail field contains	the number of failed attempts before access is
       blocked,	defaulting to "*" meaning never, and the last  field  duration
       specifies  the  amount  of time since the last access that the blocking
       rule should be active, defaulting to "*"	meaning	forever.  The  default
       unit  for duration is seconds, but one can specify suffixes for differ-
       ent units, such as "m" for minutes "h" for hours	and "d"	for days.

       Matching	is done	first by checking the [local] rules  individually,  in
       the  order  of  the most	specific to the	least specific.	 If a match is
       found, then the matching	[remote] rules are applied.  The name,	nfail,
       and duration fields can be altered by the [remote] rule that matched.

       The  [remote] rules can be used for allowing specific addresses,	chang-
       ing the mask size (via name), the rule  that  the  packet  filter  uses
       (also  via name), the number of failed attempts (via nfail), or the du-
       ration to block (via duration).

FILES
       /etc/blocklistd.conf  Configuration file.

EXAMPLES
	       # Block ssh, after 3 attempts for 6 hours on the	bnx0 interface
	       [local]
	       # location      type    proto   owner   name    nfail   duration
	       bnx0:ssh	       *       *       *       *       3       6h
	       [remote]
	       # Never block 1.2.3.4
	       1.2.3.4:ssh     *       *       *       *       *       *
	       # Never block the example IPv6 subnet either
	       [2001:db8::]/32:ssh     *       *       *       *       *       *
	       # For addresses coming from 8.8.0.0/16 block whole /24 networks instead
	       # individual hosts, but keep the	rest of	the blocking parameters	the same.
	       8.8.0.0/16:ssh  *       *       *       /24     =       =

SEE ALSO
       blocklistctl(8),	blocklistd(8)

HISTORY
       blocklistd.conf first  appeared	in  NetBSD  7.	 FreeBSD  support  for
       blocklistd.conf was implemented in FreeBSD 11.

AUTHORS
       Christos	Zoulas

FreeBSD	15.0		       February	5, 2025		    BLOCKLISTD.CONF(5)
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=blocklistd.conf&sektion=5&manpath=FreeBSD+15.0-RELEASE+and+Ports>
home | help
Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages
