Module Name: src
Committed By: snj
Date: Fri Jul 31 17:26:13 UTC 2015
Modified Files:
src/external/bsd/blacklist/bin [netbsd-7]: blacklistd.8
Log Message:
Pull up following revision(s) (requested by christos in ticket #926):
external/bsd/blacklist/bin/blacklistd.8: revisions 1.12-1.14
Document the options as a list instead of embedded text.
--
Whitespace and macro fixes.
--
prune bogus comma from Nm args
To generate a diff of this commit:
cvs rdiff -u -r1.10.2.3 -r1.10.2.4 \
src/external/bsd/blacklist/bin/blacklistd.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.8
diff -u src/external/bsd/blacklist/bin/blacklistd.8:1.10.2.3 src/external/bsd/blacklist/bin/blacklistd.8:1.10.2.4
--- src/external/bsd/blacklist/bin/blacklistd.8:1.10.2.3 Thu Apr 30 19:37:38 2015
+++ src/external/bsd/blacklist/bin/blacklistd.8 Fri Jul 31 17:26:13 2015
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.10.2.3 2015/04/30 19:37:38 snj Exp $
+.\" $NetBSD: blacklistd.8,v 1.10.2.4 2015/07/31 17:26:13 snj Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,11 +27,11 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd April 29, 2015
+.Dd June 4, 2015
.Dt BLACKLISTD 8
.Os
.Sh NAME
-.Nm blacklistd ,
+.Nm blacklistd
.Nd block and release ports on demand to avoid DoS abuse
.Sh SYNOPSIS
.Nm
@@ -90,7 +90,7 @@ If the action is
.Dq remove
Then the same control script is invoked as:
.Bd -literal -offset indent
-control add <rulename> <proto> <address> <mask> <port>
+control remove <rulename> <proto> <address> <mask> <port> <id>
.Ed
.Pp
where
@@ -103,19 +103,6 @@ action.
maintains a database of known connections in
.Ar dbfile .
On startup it reads entries from that file, and updates its internal state.
-If the
-.Fl f
-flag is specified, then the database is truncated an all the rules named
-.Ar rulename
-are deleted by invoking the control script as:
-.Bd -literal -offset indent
-control flush <rulename>
-.Ed
-If the
-.Fl r
-flag is specified, the firewall rules are re-read from the internal database
-and are removed and re-added.
-This helps for packet filters that don't retain state across reboots.
.Pp
.Nm
checks the list of active entries every
@@ -124,22 +111,93 @@ seconds (default
.Dv 15 )
and removes entries and block rules using the control program as necessary.
.Pp
+The following options are available:
+.Bl -tag -width indent
+.It Fl C Ar controlprog
+Use
+.Ar controlprog
+to communicate with the packet filter, usually
+.Pa /libexec/blacklistd-helper .
+The following arguments are passed to the control program:
+.Bl -tag -width protocol
+.It action
+The action to perform:
+.Dv add ,
+.Dv rem ,
+or
+.Dv flush
+to add, remove or flush a firewall rule.
+.It name
+The rule name.
+.It protocol
+The optional protocol name (can be empty):
+.Dv tcp ,
+.Dv tcp6 ,
+.Dv udp ,
+.Dv udp6 .
+.It address
+The IPv4 or IPv6 numeric address to be blocked or released.
+.It mask
+The numeric mask to be applied to the blocked or released address
+.It port
+The optional numeric port to be blocked (can be empty).
+.It id
+For packet filters that support removal of rules by rule identifier, the
+identifier of the rule to be removed.
+The add command is expected to return the rule identifier string to stdout.
+.El
+.It Fl c Ar configuration
+The name of the configuration file to read, usually
+.Pa /etc/blacklistd.conf .
+.It Fl D Ar dbfile
+The Berkeley DB file where
+.Nm
+stores its state, usually
+.Pa /var/run/blacklistd.db .
+.It Fl d
Normally,
.Nm
-disassociates itself from the terminal and writes messages to
-.Xr syslogd 8 ,
-unless the
+disassociates itself from the terminal unless the
.Fl d
flag is specified, in which case it stays in the foreground.
-The
-.Fl v
-cases
+.It Fl f
+Truncate the state database and flush all the rules named
+.Ar rulename
+are deleted by invoking the control script as:
+.Bd -literal -offset indent
+control flush <rulename>
+.Ed
+.It Fl P Ar sockspathsfile
+A file containing a list of pathnames, one per line that
+.Nm
+will create sockets to listen to.
+This is useful for chrooted environments.
+.It Fl R Ar rulename
+Specify the default rule name for the packet filter rules, usually
+.Dv blacklistd .
+.It Fl r
+Re-read the firewall rules from the internal database, then
+remove and re-add them.
+This helps for packet filters that don't retain state across reboots.
+.It Fl s Ar sockpath
+Add
+.Ar sockpath
+to the list of Unix sockets
+.Nm
+listens to.
+.It Fl t Ar timeout
+The interval in seconds
+.Nm
+polls the state file to update the rules.
+.It Fl v
+Cause
.Nm
to print
diagnostic messages to
.Dv stdout
instead of
.Xr syslogd 8 .
+.El
.Sh FILES
.Bl -tag -width /libexec/blacklistd-helper -compact
.It Pa /libexec/blacklistd-helper
