Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
BLACKLISTD(8)		  BSD System Manager's Manual		 BLACKLISTD(8)

     blacklistd	-- block and release ports on demand to	avoid DoS abuse

     blacklistd	[-dfrv]	[-C controlprog] [-c configfile] [-D dbfile]
		[-P sockpathsfile] [-R rulename] [-s sockpath] [-t timeout]

     blacklistd	is a daemon similar to syslogd(8) that listens to a sockets at
     paths specified in	the sockpathsfile for notifications from other daemons
     about successful or failed	connection attempts.  If no such file is spec-
     ified, then it only listens to the	socket path specified by sockspath or
     if	that is	not specified to /var/run/blacklistd.sock.  Each notification
     contains an (action, port,	protocol, address, owner) tuple	that identi-
     fies the remote connection	and the	action.	 This tuple is consulted
     against entries in	configfile with	syntax specified in
     blacklistd.conf(5).  If an	entry is matched, a state entry	is created for
     that tuple.  Each entry contains a	number of tries	limit and a duration.

     If	the action is "add" and	the number of tries limit is reached, then a
     control script controlprog	is invoked with	arguments:

	   control add <rulename> <proto> <address> <mask> <port>

     and should	invoke a packet	filter command to block	the connection speci-
     fied by the arguments.  The rulename argument can be set from the command
     line (default blacklistd).	 The script could print	a numerical id to std-
     out as a handle for the rule that can be used later to remove that	con-
     nection, but that is not required as all information to remove the	rule
     is	kept.

     If	the action is "remove" Then the	same control script is invoked as:

	   control remove <rulename> <proto> <address> <mask> <port> <id>

     where id is the number returned from the "add" action.

     blacklistd	maintains a database of	known connections in dbfile.  On
     startup it	reads entries from that	file, and updates its internal state.

     blacklistd	checks the list	of active entries every	timeout	seconds	(de-
     fault 15) and removes entries and block rules using the control program
     as	necessary.

     The following options are available:

     -C	controlprog
	     Use controlprog to	communicate with the packet filter, usually
	     /usr/libexec/blacklistd-helper.  The following arguments are
	     passed to the control program:

	     action    The action to perform: add, rem,	or flush to add, re-
		       move or flush a firewall	rule.

	     name      The rule	name.

	     protocol  The optional protocol name (can be empty): tcp, tcp6,
		       udp, udp6.

	     address   The IPv4	or IPv6	numeric	address	to be blocked or re-

	     mask      The numeric mask	to be applied to the blocked or	re-
		       leased address

	     port      The optional numeric port to be blocked (can be empty).

	     id	       For packet filters that support removal of rules	by
		       rule identifier,	the identifier of the rule to be re-
		       moved.  The add command is expected to return the rule
		       identifier string to stdout.

     -c	configuration
	     The name of the configuration file	to read, usually

     -D	dbfile
	     The Berkeley DB file where	blacklistd stores its state, usually

     -d	     Normally, blacklistd disassociates	itself from the	terminal un-
	     less the -d flag is specified, in which case it stays in the

     -f	     Truncate the state	database and flush all the rules named
	     rulename are deleted by invoking the control script as:

		   control flush <rulename>

     -P	sockspathsfile
	     A file containing a list of pathnames, one	per line that
	     blacklistd	will create sockets to listen to.  This	is useful for
	     chrooted environments.

     -R	rulename
	     Specify the default rule name for the packet filter rules,	usu-
	     ally blacklistd.

     -r	     Re-read the firewall rules	from the internal database, then re-
	     move and re-add them.  This helps for packet filters that don't
	     retain state across reboots.

     -s	sockpath
	     Add sockpath to the list of Unix sockets blacklistd listens to.

     -t	timeout
	     The interval in seconds blacklistd	polls the state	file to	update
	     the rules.

     -v	     Cause blacklistd to print diagnostic messages to stdout instead
	     of	syslogd(8).

     /usr/libexec/blacklistd-helper  Shell script invoked to interface with
				     the packet	filter.
     /etc/blacklistd.conf	     Configuration file.
     /var/db/blacklistd.db	     Database of current connection entries.
     /var/run/blacklistd.sock	     Socket to receive connection notifica-

     blacklistd.conf(5), blacklistctl(8), npfctl(8), syslogd(8)

     blacklistd	first appeared in NetBSD 7.  FreeBSD support for blacklistd
     was implemented in	FreeBSD	11.

     Christos Zoulas

BSD				 June 7, 2016				   BSD


Want to link to this manual page? Use this URL:

home | help