Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
BLACKLISTD.CONF(5)	    BSD	File Formats Manual	    BLACKLISTD.CONF(5)

     blacklistd.conf --	configuration file format for blacklistd

     The blacklistd.conf files contains	configuration lines for	blacklistd(8).
     It	contains one entry per line, and is similar to inetd.conf(5).  There
     must be an	entry for each field of	the configuration file,	with entries
     for each field separated by a tab or a space.  Comments are denoted by a
     "#" at the	beginning of a line.

     There are two kinds of configuration lines, local and remote.  By de-
     fault, configuration lines	are local, i.e.	the address specified refers
     to	the addresses on the local machine.  To	switch to between local	and
     remote configuration lines	you can	specify	the stanzas: "[local]" and

     On	local and remote lines "*" means use the default, or wildcard match.
     In	addition, for remote lines "=" means use the values from the matched
     local configuration line.

     The first four fields, location, type, proto, and owner are used to match
     the local or remote addresses, whereas the	last 3 fields name, nfail, and
     disable are used to modify	the filtering action.

     The first field denotes the location as an	address, mask, and port.  The
     syntax for	the location is:


     The address can be	an IPv4	address	in numeric format, an IPv6 address in
     numeric format and	enclosed by square brackets, or	an interface name.
     Mask modifiers are	not allowed on interfaces because interfaces have mul-
     tiple address in different	protocols where	the mask has a different size.

     The mask is always	numeric, but the port can be either numeric or sym-

     The second	field is the socket type: stream, dgram, or numeric.  The
     third field is the	prococol: tcp, udp, tcp6, udp6,	or numeric.  The
     fourth file is the	effective user (owner) of the daemon process reporting
     the event,	either as a username or	a userid.

     The rest of the fields are	controlling the	behavior of the	filter.

     The name field, is	the name of the	packet filter rule to be used.	If the
     name starts with a	"-", then the default rulename is prepended to the
     given name.  If the name contains a "/", the remaining portion of the
     name is interpreted as the	mask to	be applied to the address specified in
     the rule, so one can block	whole subnets for a single rule	violation.

     The nfail field contains the number of failed attempts before access is
     blocked, defaulting to "*"	meaning	never, and the last field disable
     specifies the amount of time since	the last access	that the blocking rule
     should be active, defaulting to "*" meaning forever.  The default unit
     for disable is seconds, but one can specify suffixes for different	units,
     such as "m" for minutes "h" for hours and "d" for days.

     Matching is done first by checking	the local rules	one by one, from the
     most specific to the least	specific.  If a	match is found,	then the
     remote rules are applied, and if a	match is found the name, nfail,	and
     disable fields can	be altered by the remote rule that matched.

     The remote	rules can be used for whitelisting specific addresses, chang-
     ing the mask size,	or the rule that the packet filter uses, the number of
     failed attempts, or the blocked duration.

     /etc/blacklistd.conf  Configuration file.

     # Block ssh, after	3 attempts for 6 hours on the bnx0 interface
     # location	     type    proto   owner   name    nfail   duration
     bnx0:ssh	     *	     *	     *	     *	     3	     6h
     # Never block     *	     *	     *	     *	     *	     *
     # For addresses coming from block class	C networks instead
     # individual hosts, but keep the rest of the blocking parameters the same.  *	     *	     *	     /24     =	     =

     blacklistctl(8), blacklistd(8)

     blacklistd.conf first appeared in NetBSD 7.  FreeBSD support for
     blacklistd.conf was implemented in	FreeBSD	11.

     Christos Zoulas

BSD				 June 7, 2016				   BSD


Want to link to this manual page? Use this URL:

home | help