Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 15.0-CURRENT FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 14.0-STABLE FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.3-STABLE FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 14.0 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 13.0 unstable Debian 12.5.0 Debian 11.9.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 14.3.1 macOS 13.6.5 macOS 12.7.3 macOS 10.13.6 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.0 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenStep 4.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Red Hat 9 Rhapsody DR1 Rhapsody DR2 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

BLACKLISTD(8)		    System Manager's Manual		 BLACKLISTD(8)

NAME
       blacklistd -- block and release ports on	demand to avoid	DoS abuse

SYNOPSIS
       blacklistd   [-dfrv]  [-C  controlprog]	[-c  configfile]  [-D  dbfile]
		  [-P sockpathsfile] [-R rulename] [-s sockpath] [-t timeout]

DESCRIPTION
       blacklistd is a daemon similar to syslogd(8) that listens to sockets at
       paths specified in the sockpathsfile for	notifications from other  dae-
       mons  about  successful or failed connection attempts.  If no such file
       is specified, then it only listens to  the  socket  path	 specified  by
       sockspath  or  if  that	is  not	specified to /var/run/blacklistd.sock.
       Each notification contains an (action, port, protocol, address,	owner)
       tuple that identifies the remote	connection and the action.  This tuple
       is  consulted  against  entries	in configfile with syntax specified in
       blacklistd.conf(5).  If an entry	is matched, a state entry  is  created
       for  that tuple.	 Each entry contains a number of tries limit and a du-
       ration.

       The way blacklistd does configuration entry matching is by  having  the
       client side pass	the file descriptor associated with the	connection the
       client wants to blacklist as well as passing socket credentials.

       The  file descriptor is used to retrieve	information (address and port)
       about the remote	side with  getpeername(2)  and	the  local  side  with
       getsockname(2).

       By  examining  the  port	of the local side, blacklistd can determine if
       the client program "owns" the port.  By examining the optional  address
       portion	on  the	local side, it can match interfaces.  By examining the
       remote address, it can match specific allow or deny rules.

       Finally blacklistd can examine the socket credentials to	match the user
       in the configuration file.

       While this works	well for TCP sockets, it cannot	be relied on  for  un-
       bound UDP sockets.  It is also less meaningful when it comes to connec-
       tions  using  non-privileged ports.  On the other hand, if we receive a
       request that has	a local	endpoint indicating a UDP privileged port,  we
       can  presume  that the client was privileged to be able to acquire that
       port.

       Once an entry is	matched	blacklistd can perform	various	 actions.   If
       the  action  is	"add" and the number of	tries limit is reached,	then a
       control script controlprog is invoked with arguments:

	     control add <rulename> <proto> <address> <mask> <port>

       and should invoke a packet filter command to block the connection spec-
       ified by	the arguments.	The rulename argument can be set from the com-
       mand line (default blacklistd).	The script could print a numerical  id
       to  stdout  as  a  handle for the rule that can be used later to	remove
       that connection,	but that is not	required as all	information to	remove
       the rule	is kept.

       If the action is	"rem" Then the same control script is invoked as:

	     control rem <rulename> <proto> <address> <mask> <port> <id>

       where id	is the number returned from the	"add" action.

       blacklistd  maintains  a	 database  of known connections	in dbfile.  On
       startup it reads	entries	from  that  file,  and	updates	 its  internal
       state.

       blacklistd checks the list of active entries every timeout seconds (de-
       fault 15) and removes entries and block rules using the control program
       as necessary.

       The following options are available:

       -C controlprog
	       Use  controlprog	to communicate with the	packet filter, usually
	       /usr/libexec/blacklistd-helper.	The  following	arguments  are
	       passed to the control program:

	       action	 The action to perform:	add, rem, or flush to add, re-
			 move or flush a firewall rule.

	       name	 The rule name.

	       protocol	 The optional protocol name (can be empty): tcp, tcp6,
			 udp, udp6.

	       address	 The IPv4 or IPv6 numeric address to be	blocked	or re-
			 leased.

	       mask	 The  numeric mask to be applied to the	blocked	or re-
			 leased	address

	       port	 The optional numeric  port  to	 be  blocked  (can  be
			 empty).

	       id	 For  packet  filters that support removal of rules by
			 rule identifier, the identifier of the	rule to	be re-
			 moved.	 The add command is  expected  to  return  the
			 rule identifier string	to stdout.

       -c configuration
	       The   name   of	 the   configuration  file  to	read,  usually
	       /etc/blacklistd.conf.

       -D dbfile
	       The Berkeley DB file where blacklistd stores its	state, usually
	       /var/db/blacklistd.db.

       -d      Normally, blacklistd disassociates itself from the terminal un-
	       less the	-d flag	is specified, in which case it	stays  in  the
	       foreground.

       -f      Truncate	 the  state  database  and  flush  all the rules named
	       rulename	are deleted by invoking	the control script as:

		     control flush <rulename>

       -P sockspathsfile
	       A file containing a  list  of  pathnames,  one  per  line  that
	       blacklistd  will	 create	 sockets to listen to.	This is	useful
	       for chrooted environments.

       -R rulename
	       Specify the default rule	name for the packet filter rules, usu-
	       ally blacklistd.

       -r      Re-read the firewall rules from the internal database, then re-
	       move and	re-add them.  This helps for packet  filters  that  do
	       not retain state	across reboots.

       -s sockpath
	       Add sockpath to the list	of Unix	sockets	blacklistd listens to.

       -t timeout
	       The  interval in	seconds	blacklistd polls the state file	to up-
	       date the	rules.

       -v      Cause blacklistd	to print diagnostic messages to	stdout instead
	       of syslogd(8).

SIGNAL HANDLING
       blacklistd deals	with the following signals:

       HUP   Receipt of	this signal causes blacklistd to re-read the  configu-
	     ration file.

       INT, TERM & QUIT
	     These signals tell	blacklistd to exit in an orderly fashion.

       USR1  This  signal  tells blacklistd to increase	the internal debugging
	     level by 1.

       USR2  This signal tells blacklistd to decrease the  internal  debugging
	     level by 1.

FILES
       /usr/libexec/blacklistd-helper  Shell  script invoked to	interface with
				       the packet filter.
       /etc/blacklistd.conf	       Configuration file.
       /var/db/blacklistd.db	       Database	of current connection entries.
       /var/run/blacklistd.sock	       Socket to receive connection  notifica-
				       tions.

SEE ALSO
       blacklistd.conf(5), blacklistctl(8), pfctl(8), syslogd(8)

HISTORY
       blacklistd  first appeared in NetBSD 7.	FreeBSD	support	for blacklistd
       was implemented in FreeBSD 11.

AUTHORS
       Christos	Zoulas

FreeBSD	13.2			April 21, 2020			 BLACKLISTD(8)

---

NAME | SYNOPSIS | DESCRIPTION | SIGNAL HANDLING | FILES | SEE ALSO | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=blacklistd&sektion=8&manpath=FreeBSD+14.0-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact