NetBSD Wiki/tutorials/ setting up blocklistd

Contents

  1. How to set up blocklistd

How to set up blocklistd

blocklistd uses npf for blocking connections on the network layer after remote hosts had too many failed tries at connecting to a service.

So as a first step, we have to set up npf. This tutorial assumes that this hasn't happened yet.

Configuring npf

Just use the example config file:

cp /usr/share/examples/blocklist/npf.conf /etc/npf.conf

Edit it so $ext_if points to your external network interface.

If you don't want to reboot, you'll also need to create an npflog device:

ifconfig npflog0 create

So this happens after a reboot too, you have to run:

echo create > /etc/ifconfig.npflog0

Enable the bpfjit kernel module:

modload bpfjit

and make the setting persistent:

echo bpfjit >> /etc/modules
echo modules=yes >> /etc/rc.conf

Increase/set some npf sysctl settings:

sysctl -w net.bpf.jit=1
sysctl -w net.bpf.maxbufsize=4194304
echo net.bpf.jit=1 >> /etc/sysctl.conf
echo net.bpf.maxbufsize=4194304 >> /etc/sysctl.conf

Configuring blocklistd

Again, start with the example config:

cp /usr/share/examples/blocklist/blocklistd.conf /etc/blocklistd.conf

Edit the file. In the [local] section you can add services and after how many tries a remote host should be blocked. In the [remote] section you can whitelist hosts. For more details, see blocklistd.conf(5).

Starting the services

After everything is configured, you can start the services:

service npfd restart
service npf reload
service blocklistd restart

and make them persistent:

echo npf=yes >> /etc/rc.conf
echo npfd=yes >> /etc/rc.conf
echo blocklistd=yes >> /etc/rc.conf
echo blocklistd_flags=-r >> /etc/rc.conf

Restart the services which you've added to blocklistd, e.g.

service sshd restart
service postfix restart

You probably also need to tell npf to start filtering based on the entries:

npfctl start

Checking the current state

You can check the current state with

blocklistctl dump -a

Unblocking hosts

Find the host in the blocklistctl dump -a output. The second column (id) is a hex number. Pass this as argument to npfctl:

/sbin/npfctl rule blocklistd rem-id $ID
Add a comment
Last edited late Friday evening, March 1st, 2024
Preferences | Logout