Attachment #235492 for bug #265455

View | Details | Raw Unified | Return to bug 265455
Collapse All | Expand All




However, if it is used, it requires PROTO_TYPE to be first defined in the rule.
The port number must also be preceded by the `proto` keyword.
+
A number of different comparison operators are supported: `=` (equal to), `!=` (not equal to), `<` (less than), `>` (greater than), `+<=+` (less than or equal to), and `>=` (greater than or equal to).
+
To specify port ranges, place the two port numbers between `<>` (less than and greater than ), `><` (greater than and less than ), or `:` (greater than or equal to and less than or equal to).


[[firewalls-blacklistd]]
== Blacklistd

Blacklistd is a daemon listening to sockets awaiting to receive notifications from other daemons about connection attempts that failed or were successful.
It is most widely used in blocking too many connection attempts on open ports.
A prime example is SSH running on the internet getting a lot of requests from bots or scripts trying to guess passwords and gain access.
Using blacklistd, the daemon can notify the firewall to create a filter rule to block excessive connection attempts from a single source after a number of tries. Blacklistd was first developed on NetBSD and appeared there in version 7.

All rules that follow the `[local]` section are treated as local rules (which is the default), applying to the local machine.
When a `[remote]` section is encountered, all rules that follow it are handled as remote machine rules.

Seven fields separated by either tabs or spaces  define a rule .
The first four fields identify the traffic that should be blocklisted.
The three fields that follow define backlistd's behavior.
Wildcards are denoted as asterisks (`*`), matching anything in this field.


The address field can be an IP address (either v4 or v6), a port or both.
This allows setting special rules for a specific remote address range like in this example.
The fields for socket type, protocol and owner are identically interpreted as in the local rule.

The name fields is different though: the equal sign (`=`) in a remote rule tells blacklistd to use the value from the matching local rule.
It means that the firewall rule entry is taken and the `/25` prefix (a netmask of `255.255.255.128`) is added.

Return to bug 265455

Lines 2008-2014 The port number of the source is optional. Link Here

(-)b/documentation/content/en/books/handbook/firewalls/_index.adoc (-4 / +4 lines)
2008	However, if it is used, it requires PROTO_TYPE to be first defined in the rule.	2008	However, if it is used, it requires PROTO_TYPE to be first defined in the rule.
2009	The port number must also be preceded by the `proto` keyword.	2009	The port number must also be preceded by the `proto` keyword.
2010	+	2010	+
2011	A number of different comparison operators are supported: `=` (equal to), `!=` (not equal to), `<` (less than), `>` (greater than), `<=` (less than or equal to), and `>=` (greater than or equal to).	2011	A number of different comparison operators are supported: `=` (equal to), `!=` (not equal to), `<` (less than), `>` (greater than), `+<=+` (less than or equal to), and `>=` (greater than or equal to).
2012	+	2012	+
2013	To specify port ranges, place the two port numbers between `<>` (less than and greater than ), `><` (greater than and less than ), or `:` (greater than or equal to and less than or equal to).	2013	To specify port ranges, place the two port numbers between `<>` (less than and greater than ), `><` (greater than and less than ), or `:` (greater than or equal to and less than or equal to).
2014		2014
Lines 2452-2458 For example: `icmp 3/3` for a port unreachable message. Link Here
2452	[[firewalls-blacklistd]]	2452	[[firewalls-blacklistd]]
2453	== Blacklistd	2453	== Blacklistd
2454		2454
2455	Blacklistd is a daemon listening to sockets to receive notifications from other daemons about connection attempts that failed or were successful.	2455	Blacklistd is a daemon listening to sockets awaiting to receive notifications from other daemons about connection attempts that failed or were successful.
2456	It is most widely used in blocking too many connection attempts on open ports.	2456	It is most widely used in blocking too many connection attempts on open ports.
2457	A prime example is SSH running on the internet getting a lot of requests from bots or scripts trying to guess passwords and gain access.	2457	A prime example is SSH running on the internet getting a lot of requests from bots or scripts trying to guess passwords and gain access.
2458	Using blacklistd, the daemon can notify the firewall to create a filter rule to block excessive connection attempts from a single source after a number of tries. Blacklistd was first developed on NetBSD and appeared there in version 7.	2458	Using blacklistd, the daemon can notify the firewall to create a filter rule to block excessive connection attempts from a single source after a number of tries. Blacklistd was first developed on NetBSD and appeared there in version 7.
Lines 2501-2507 ssh stream * * * 3 24h Link Here
2501	All rules that follow the `[local]` section are treated as local rules (which is the default), applying to the local machine.	2501	All rules that follow the `[local]` section are treated as local rules (which is the default), applying to the local machine.
2502	When a `[remote]` section is encountered, all rules that follow it are handled as remote machine rules.	2502	When a `[remote]` section is encountered, all rules that follow it are handled as remote machine rules.
2503		2503
2504	Seven fields define a rule separated by either tabs or spaces.	2504	Seven fields separated by either tabs or spaces define a rule .
2505	The first four fields identify the traffic that should be blocklisted.	2505	The first four fields identify the traffic that should be blocklisted.
2506	The three fields that follow define backlistd's behavior.	2506	The three fields that follow define backlistd's behavior.
2507	Wildcards are denoted as asterisks (`*`), matching anything in this field.	2507	Wildcards are denoted as asterisks (`*`), matching anything in this field.
Lines 2593-2599 To explain it, this example rule is used: Link Here
2593		2593
2594	The address field can be an IP address (either v4 or v6), a port or both.	2594	The address field can be an IP address (either v4 or v6), a port or both.
2595	This allows setting special rules for a specific remote address range like in this example.	2595	This allows setting special rules for a specific remote address range like in this example.
2596	The fields for type, protocol and owner are identically interpreted as in the local rule.	2596	The fields for socket type, protocol and owner are identically interpreted as in the local rule.
2597		2597
2598	The name fields is different though: the equal sign (`=`) in a remote rule tells blacklistd to use the value from the matching local rule.	2598	The name fields is different though: the equal sign (`=`) in a remote rule tells blacklistd to use the value from the matching local rule.
2599	It means that the firewall rule entry is taken and the `/25` prefix (a netmask of `255.255.255.128`) is added.	2599	It means that the firewall rule entry is taken and the `/25` prefix (a netmask of `255.255.255.128`) is added.