Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
BLACKLISTD.CONF(5)	  FreeBSD File Formats Manual	    BLACKLISTD.CONF(5)

     blacklistd.conf --	configuration file format for blacklistd

     The blacklistd.conf file contains configuration entries for blacklistd(8)
     in	a fashion similar to inetd.conf(5).  Only one entry per	line is	per-
     mitted.  Every entry must have all	fields populated.  Each	field can be
     separated by a tab	or a space.  Comments are denoted by a "#" at the be-
     ginning of	a line.

     There are two kinds of configuration lines, local and remote.  By de-
     fault, configuration lines	are local, i.e.	the address specified refers
     to	the addresses on the local machine.  To	switch to between local	and
     remote configuration lines	you can	specify	the stanzas: "[local]" and

     On	local and remote lines "*" means use the default, or wildcard match.
     In	addition, for remote lines "=" means use the values from the matched
     local configuration line.

     The first four fields, location, type, proto, and owner are used to match
     the local or remote addresses, whereas the	last 3 fields name, nfail, and
     disable are used to modify	the filtering action.

     The first field denotes the location as an	address, mask, and port.  The
     syntax for	the location is:


     The address can be	an IPv4	address	in numeric format, an IPv6 address in
     numeric format and	enclosed by square brackets, or	an interface name.
     Mask modifiers are	not allowed on interfaces because interfaces can have
     multiple addresses	in different protocols where the mask has a different

     The mask is always	numeric, but the port can be either numeric or sym-

     The second	field is the socket type: stream, dgram, or numeric.  The
     third field is the	protocol: tcp, udp, tcp6, udp6,	or numeric.  The
     fourth field is the effective user	(owner)	of the daemon process report-
     ing the event, either as a	username or a userid.

     The rest of the fields control the	behavior of the	filter.

     The name field, is	the name of the	packet filter rule to be used.	If the
     name starts with a	"-", then the default rulename is prepended to the
     given name.  If the name contains a "/", the remaining portion of the
     name is interpreted as the	mask to	be applied to the address specified in
     the rule, causing a single	rule violation to block	the entire subnet for
     the configured prefix.

     The nfail field contains the number of failed attempts before access is
     blocked, defaulting to "*"	meaning	never, and the last field disable
     specifies the amount of time since	the last access	that the blocking rule
     should be active, defaulting to "*" meaning forever.  The default unit
     for disable is seconds, but one can specify suffixes for different	units,
     such as "m" for minutes "h" for hours and "d" for days.

     Matching is done first by checking	the local rules	individually, in the
     order of the most specific	to the least specific.	If a match is found,
     then the remote rules are applied.	 The name, nfail, and disable fields
     can be altered by the remote rule that matched.

     The remote	rules can be used for whitelisting specific addresses, chang-
     ing the mask size,	the rule that the packet filter	uses, the number of
     failed attempts, or the block duration.

     /etc/blacklistd.conf  Configuration file.

	     # Block ssh, after	3 attempts for 6 hours on the bnx0 interface
	     # location	     type    proto   owner   name    nfail   duration
	     bnx0:ssh	     *	     *	     *	     *	     3	     6h
	     # Never block     *	     *	     *	     *	     *	     *
	     # For addresses coming from block class	C networks instead
	     # individual hosts, but keep the rest of the blocking parameters the same.  *	     *	     *	     /24     =	     =

     blacklistctl(8), blacklistd(8)

     blacklistd.conf first appeared in NetBSD 7.  FreeBSD support for
     blacklistd.conf was implemented in	FreeBSD	11.

     Christos Zoulas

FreeBSD	13.0			 June 5, 2017			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help