**Contents** [[!toc]] # How to set up blocklistd `blocklistd` uses `npf` for blocking connections on the network layer after remote hosts had too many failed tries at connecting to a service. So as a first step, we have to set up npf. This tutorial assumes that this hasn't happened yet. ## Configuring npf Just use the example config file: cp /usr/share/examples/blocklist/npf.conf /etc/npf.conf Edit it so `$ext_if` points to your external network interface. If you don't want to reboot, you'll also need to create an npflog device: ifconfig npflog0 create So this happens after a reboot too, you have to run: echo create > /etc/ifconfig.npflog0 Enable the bpfjit kernel module: modload bpfjit and make the setting persistent: echo bpfjit >> /etc/modules echo modules=yes >> /etc/rc.conf Increase/set some npf sysctl settings: sysctl -w net.bpf.jit=1 sysctl -w net.bpf.maxbufsize=4194304 echo net.bpf.jit=1 >> /etc/sysctl.conf echo net.bpf.maxbufsize=4194304 >> /etc/sysctl.conf ## Configuring blocklistd Again, start with the example config: cp /usr/share/examples/blocklist/blocklistd.conf /etc/blocklistd.conf Edit the file. In the `[local]` section you can add services and after how many tries a remote host should be blocked. In the `[remote]` section you can whitelist hosts. For more details, see `blocklistd.conf(5)`. ## Starting the services After everything is configured, you can start the services: service npfd restart service npf reload service blocklistd restart and make them persistent: echo npf=yes >> /etc/rc.conf echo npfd=yes >> /etc/rc.conf echo blocklistd=yes >> /etc/rc.conf echo blocklistd_flags=-r >> /etc/rc.conf Restart the services which you've added to blocklistd, e.g. service sshd restart service postfix restart You probably also need to tell npf to start filtering based on the entries: npfctl start ## Checking the current state You can check the current state with blocklistctl dump -a ## Unblocking hosts Find the host in the `blocklistctl dump -a` output. The second column (`id`) is a hex number. Pass this as argument to npfctl: /sbin/npfctl rule blocklistd rem-id $ID