| @@ -1,284 +1,284 @@ | | | @@ -1,284 +1,284 @@ |
1 | .\" $NetBSD: blacklistd.8,v 1.22 2020/03/30 08:45:09 wiz Exp $ | | 1 | .\" $NetBSD: blacklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2015 The NetBSD Foundation, Inc. | | 3 | .\" Copyright (c) 2015 The NetBSD Foundation, Inc. |
4 | .\" All rights reserved. | | 4 | .\" All rights reserved. |
5 | .\" | | 5 | .\" |
6 | .\" This code is derived from software contributed to The NetBSD Foundation | | 6 | .\" This code is derived from software contributed to The NetBSD Foundation |
7 | .\" by Christos Zoulas. | | 7 | .\" by Christos Zoulas. |
8 | .\" | | 8 | .\" |
9 | .\" Redistribution and use in source and binary forms, with or without | | 9 | .\" Redistribution and use in source and binary forms, with or without |
10 | .\" modification, are permitted provided that the following conditions | | 10 | .\" modification, are permitted provided that the following conditions |
11 | .\" are met: | | 11 | .\" are met: |
12 | .\" 1. Redistributions of source code must retain the above copyright | | 12 | .\" 1. Redistributions of source code must retain the above copyright |
13 | .\" notice, this list of conditions and the following disclaimer. | | 13 | .\" notice, this list of conditions and the following disclaimer. |
14 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 14 | .\" 2. Redistributions in binary form must reproduce the above copyright |
15 | .\" notice, this list of conditions and the following disclaimer in the | | 15 | .\" notice, this list of conditions and the following disclaimer in the |
16 | .\" documentation and/or other materials provided with the distribution. | | 16 | .\" documentation and/or other materials provided with the distribution. |
17 | .\" | | 17 | .\" |
18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
28 | .\" POSSIBILITY OF SUCH DAMAGE. | | 28 | .\" POSSIBILITY OF SUCH DAMAGE. |
29 | .\" | | 29 | .\" |
30 | .Dd March 29, 2020 | | 30 | .Dd April 21, 2020 |
31 | .Dt BLACKLISTD 8 | | 31 | .Dt BLACKLISTD 8 |
32 | .Os | | 32 | .Os |
33 | .Sh NAME | | 33 | .Sh NAME |
34 | .Nm blacklistd | | 34 | .Nm blacklistd |
35 | .Nd block and release ports on demand to avoid DoS abuse | | 35 | .Nd block and release ports on demand to avoid DoS abuse |
36 | .Sh SYNOPSIS | | 36 | .Sh SYNOPSIS |
37 | .Nm | | 37 | .Nm |
38 | .Op Fl dfrv | | 38 | .Op Fl dfrv |
39 | .Op Fl C Ar controlprog | | 39 | .Op Fl C Ar controlprog |
40 | .Op Fl c Ar configfile | | 40 | .Op Fl c Ar configfile |
41 | .Op Fl D Ar dbfile | | 41 | .Op Fl D Ar dbfile |
42 | .Op Fl P Ar sockpathsfile | | 42 | .Op Fl P Ar sockpathsfile |
43 | .Op Fl R Ar rulename | | 43 | .Op Fl R Ar rulename |
44 | .Op Fl s Ar sockpath | | 44 | .Op Fl s Ar sockpath |
45 | .Op Fl t Ar timeout | | 45 | .Op Fl t Ar timeout |
46 | .Sh DESCRIPTION | | 46 | .Sh DESCRIPTION |
47 | .Nm | | 47 | .Nm |
48 | is a daemon similar to | | 48 | is a daemon similar to |
49 | .Xr syslogd 8 | | 49 | .Xr syslogd 8 |
50 | that listens to sockets at paths specified in the | | 50 | that listens to sockets at paths specified in the |
51 | .Ar sockpathsfile | | 51 | .Ar sockpathsfile |
52 | for notifications from other daemons about successful or failed connection | | 52 | for notifications from other daemons about successful or failed connection |
53 | attempts. | | 53 | attempts. |
54 | If no such file is specified, then it only listens to the socket path | | 54 | If no such file is specified, then it only listens to the socket path |
55 | specified by | | 55 | specified by |
56 | .Ar sockspath | | 56 | .Ar sockspath |
57 | or if that is not specified to | | 57 | or if that is not specified to |
58 | .Pa /var/run/blacklistd.sock . | | 58 | .Pa /var/run/blacklistd.sock . |
59 | Each notification contains an (action, port, protocol, address, owner) tuple | | 59 | Each notification contains an (action, port, protocol, address, owner) tuple |
60 | that identifies the remote connection and the action. | | 60 | that identifies the remote connection and the action. |
61 | This tuple is consulted against entries in | | 61 | This tuple is consulted against entries in |
62 | .Ar configfile | | 62 | .Ar configfile |
63 | with syntax specified in | | 63 | with syntax specified in |
64 | .Xr blacklistd.conf 5 . | | 64 | .Xr blacklistd.conf 5 . |
65 | If an entry is matched, a state entry is created for that tuple. | | 65 | If an entry is matched, a state entry is created for that tuple. |
66 | Each entry contains a number of tries limit and a duration. | | 66 | Each entry contains a number of tries limit and a duration. |
67 | .Pp | | 67 | .Pp |
68 | The way | | 68 | The way |
69 | .Nm | | 69 | .Nm |
70 | does configuration entry matching is by having the client side pass the | | 70 | does configuration entry matching is by having the client side pass the |
71 | file descriptor associated with the connection the client wants to blacklist | | 71 | file descriptor associated with the connection the client wants to blacklist |
72 | as well as passing socket credentials. | | 72 | as well as passing socket credentials. |
73 | .Pp | | 73 | .Pp |
74 | The file descriptor is used to retrieve information (address and port) | | 74 | The file descriptor is used to retrieve information (address and port) |
75 | about the remote side with | | 75 | about the remote side with |
76 | .Xr getpeername 2 | | 76 | .Xr getpeername 2 |
77 | and the local side with | | 77 | and the local side with |
78 | .Xr getsockname 2 . | | 78 | .Xr getsockname 2 . |
79 | .Pp | | 79 | .Pp |
80 | By examining the port of the local side, | | 80 | By examining the port of the local side, |
81 | .Nm | | 81 | .Nm |
82 | can determine if the client program | | 82 | can determine if the client program |
83 | .Dq owns | | 83 | .Dq owns |
84 | the port. | | 84 | the port. |
85 | By examining the optional address portion on the local side, it can match | | 85 | By examining the optional address portion on the local side, it can match |
86 | interfaces. | | 86 | interfaces. |
87 | By examining the remote address, it can match specific allow or deny rules. | | 87 | By examining the remote address, it can match specific allow or deny rules. |
88 | .Pp | | 88 | .Pp |
89 | Finally | | 89 | Finally |
90 | .Nm | | 90 | .Nm |
91 | can examine the socket credentials to match the user in the configuration file. | | 91 | can examine the socket credentials to match the user in the configuration file. |
92 | .Pp | | 92 | .Pp |
93 | While this works well for TCP sockets, it cannot be relied on for unbound | | 93 | While this works well for TCP sockets, it cannot be relied on for unbound |
94 | UDP sockets. | | 94 | UDP sockets. |
95 | It is also less meaningful when it comes to connections using non-privileged | | 95 | It is also less meaningful when it comes to connections using non-privileged |
96 | ports. | | 96 | ports. |
97 | On the other hand, if we receive a request that has a local endpoint indicating | | 97 | On the other hand, if we receive a request that has a local endpoint indicating |
98 | a UDP privileged port, we can presume that the client was privileged to be | | 98 | a UDP privileged port, we can presume that the client was privileged to be |
99 | able to acquire that port. | | 99 | able to acquire that port. |
100 | .Pp | | 100 | .Pp |
101 | Once an entry is matched | | 101 | Once an entry is matched |
102 | .Nm | | 102 | .Nm |
103 | can perform various actions. | | 103 | can perform various actions. |
104 | If the action is | | 104 | If the action is |
105 | .Dq add | | 105 | .Dq add |
106 | and the number of tries limit is reached, then a | | 106 | and the number of tries limit is reached, then a |
107 | control script | | 107 | control script |
108 | .Ar controlprog | | 108 | .Ar controlprog |
109 | is invoked with arguments: | | 109 | is invoked with arguments: |
110 | .Bd -literal -offset indent | | 110 | .Bd -literal -offset indent |
111 | control add <rulename> <proto> <address> <mask> <port> | | 111 | control add <rulename> <proto> <address> <mask> <port> |
112 | .Ed | | 112 | .Ed |
113 | .Pp | | 113 | .Pp |
114 | and should invoke a packet filter command to block the connection | | 114 | and should invoke a packet filter command to block the connection |
115 | specified by the arguments. | | 115 | specified by the arguments. |
116 | The | | 116 | The |
117 | .Ar rulename | | 117 | .Ar rulename |
118 | argument can be set from the command line (default | | 118 | argument can be set from the command line (default |
119 | .Dv blacklistd ) . | | 119 | .Dv blacklistd ) . |
120 | The script could print a numerical id to stdout as a handle for | | 120 | The script could print a numerical id to stdout as a handle for |
121 | the rule that can be used later to remove that connection, but | | 121 | the rule that can be used later to remove that connection, but |
122 | that is not required as all information to remove the rule is | | 122 | that is not required as all information to remove the rule is |
123 | kept. | | 123 | kept. |
124 | .Pp | | 124 | .Pp |
125 | If the action is | | 125 | If the action is |
126 | .Dq remove | | 126 | .Dq remove |
127 | Then the same control script is invoked as: | | 127 | Then the same control script is invoked as: |
128 | .Bd -literal -offset indent | | 128 | .Bd -literal -offset indent |
129 | control remove <rulename> <proto> <address> <mask> <port> <id> | | 129 | control remove <rulename> <proto> <address> <mask> <port> <id> |
130 | .Ed | | 130 | .Ed |
131 | .Pp | | 131 | .Pp |
132 | where | | 132 | where |
133 | .Ar id | | 133 | .Ar id |
134 | is the number returned from the | | 134 | is the number returned from the |
135 | .Dq add | | 135 | .Dq add |
136 | action. | | 136 | action. |
137 | .Pp | | 137 | .Pp |
138 | .Nm | | 138 | .Nm |
139 | maintains a database of known connections in | | 139 | maintains a database of known connections in |
140 | .Ar dbfile . | | 140 | .Ar dbfile . |
141 | On startup it reads entries from that file, and updates its internal state. | | 141 | On startup it reads entries from that file, and updates its internal state. |
142 | .Pp | | 142 | .Pp |
143 | .Nm | | 143 | .Nm |
144 | checks the list of active entries every | | 144 | checks the list of active entries every |
145 | .Ar timeout | | 145 | .Ar timeout |
146 | seconds (default | | 146 | seconds (default |
147 | .Dv 15 ) | | 147 | .Dv 15 ) |
148 | and removes entries and block rules using the control program as necessary. | | 148 | and removes entries and block rules using the control program as necessary. |
149 | .Pp | | 149 | .Pp |
150 | The following options are available: | | 150 | The following options are available: |
151 | .Bl -tag -width indent | | 151 | .Bl -tag -width indent |
152 | .It Fl C Ar controlprog | | 152 | .It Fl C Ar controlprog |
153 | Use | | 153 | Use |
154 | .Ar controlprog | | 154 | .Ar controlprog |
155 | to communicate with the packet filter, usually | | 155 | to communicate with the packet filter, usually |
156 | .Pa /libexec/blacklistd-helper . | | 156 | .Pa /libexec/blacklistd-helper . |
157 | The following arguments are passed to the control program: | | 157 | The following arguments are passed to the control program: |
158 | .Bl -tag -width protocol | | 158 | .Bl -tag -width protocol |
159 | .It action | | 159 | .It action |
160 | The action to perform: | | 160 | The action to perform: |
161 | .Dv add , | | 161 | .Dv add , |
162 | .Dv rem , | | 162 | .Dv rem , |
163 | or | | 163 | or |
164 | .Dv flush | | 164 | .Dv flush |
165 | to add, remove or flush a firewall rule. | | 165 | to add, remove or flush a firewall rule. |
166 | .It name | | 166 | .It name |
167 | The rule name. | | 167 | The rule name. |
168 | .It protocol | | 168 | .It protocol |
169 | The optional protocol name (can be empty): | | 169 | The optional protocol name (can be empty): |
170 | .Dv tcp , | | 170 | .Dv tcp , |
171 | .Dv tcp6 , | | 171 | .Dv tcp6 , |
172 | .Dv udp , | | 172 | .Dv udp , |
173 | .Dv udp6 . | | 173 | .Dv udp6 . |
174 | .It address | | 174 | .It address |
175 | The IPv4 or IPv6 numeric address to be blocked or released. | | 175 | The IPv4 or IPv6 numeric address to be blocked or released. |
176 | .It mask | | 176 | .It mask |
177 | The numeric mask to be applied to the blocked or released address | | 177 | The numeric mask to be applied to the blocked or released address |
178 | .It port | | 178 | .It port |
179 | The optional numeric port to be blocked (can be empty). | | 179 | The optional numeric port to be blocked (can be empty). |
180 | .It id | | 180 | .It id |
181 | For packet filters that support removal of rules by rule identifier, the | | 181 | For packet filters that support removal of rules by rule identifier, the |
182 | identifier of the rule to be removed. | | 182 | identifier of the rule to be removed. |
183 | The add command is expected to return the rule identifier string to stdout. | | 183 | The add command is expected to return the rule identifier string to stdout. |
184 | .El | | 184 | .El |
185 | .It Fl c Ar configuration | | 185 | .It Fl c Ar configuration |
186 | The name of the configuration file to read, usually | | 186 | The name of the configuration file to read, usually |
187 | .Pa /etc/blacklistd.conf . | | 187 | .Pa /etc/blacklistd.conf . |
188 | .It Fl D Ar dbfile | | 188 | .It Fl D Ar dbfile |
189 | The Berkeley DB file where | | 189 | The Berkeley DB file where |
190 | .Nm | | 190 | .Nm |
191 | stores its state, usually | | 191 | stores its state, usually |
192 | .Pa /var/run/blacklistd.db . | | 192 | .Pa /var/db/blacklistd.db . |
193 | .It Fl d | | 193 | .It Fl d |
194 | Normally, | | 194 | Normally, |
195 | .Nm | | 195 | .Nm |
196 | disassociates itself from the terminal unless the | | 196 | disassociates itself from the terminal unless the |
197 | .Fl d | | 197 | .Fl d |
198 | flag is specified, in which case it stays in the foreground. | | 198 | flag is specified, in which case it stays in the foreground. |
199 | .It Fl f | | 199 | .It Fl f |
200 | Truncate the state database and flush all the rules named | | 200 | Truncate the state database and flush all the rules named |
201 | .Ar rulename | | 201 | .Ar rulename |
202 | are deleted by invoking the control script as: | | 202 | are deleted by invoking the control script as: |
203 | .Bd -literal -offset indent | | 203 | .Bd -literal -offset indent |
204 | control flush <rulename> | | 204 | control flush <rulename> |
205 | .Ed | | 205 | .Ed |
206 | .It Fl P Ar sockspathsfile | | 206 | .It Fl P Ar sockspathsfile |
207 | A file containing a list of pathnames, one per line that | | 207 | A file containing a list of pathnames, one per line that |
208 | .Nm | | 208 | .Nm |
209 | will create sockets to listen to. | | 209 | will create sockets to listen to. |
210 | This is useful for chrooted environments. | | 210 | This is useful for chrooted environments. |
211 | .It Fl R Ar rulename | | 211 | .It Fl R Ar rulename |
212 | Specify the default rule name for the packet filter rules, usually | | 212 | Specify the default rule name for the packet filter rules, usually |
213 | .Dv blacklistd . | | 213 | .Dv blacklistd . |
214 | .It Fl r | | 214 | .It Fl r |
215 | Re-read the firewall rules from the internal database, then | | 215 | Re-read the firewall rules from the internal database, then |
216 | remove and re-add them. | | 216 | remove and re-add them. |
217 | This helps for packet filters that do not retain state across reboots. | | 217 | This helps for packet filters that do not retain state across reboots. |
218 | .It Fl s Ar sockpath | | 218 | .It Fl s Ar sockpath |
219 | Add | | 219 | Add |
220 | .Ar sockpath | | 220 | .Ar sockpath |
221 | to the list of Unix sockets | | 221 | to the list of Unix sockets |
222 | .Nm | | 222 | .Nm |
223 | listens to. | | 223 | listens to. |
224 | .It Fl t Ar timeout | | 224 | .It Fl t Ar timeout |
225 | The interval in seconds | | 225 | The interval in seconds |
226 | .Nm | | 226 | .Nm |
227 | polls the state file to update the rules. | | 227 | polls the state file to update the rules. |
228 | .It Fl v | | 228 | .It Fl v |
229 | Cause | | 229 | Cause |
230 | .Nm | | 230 | .Nm |
231 | to print | | 231 | to print |
232 | diagnostic messages to | | 232 | diagnostic messages to |
233 | .Dv stdout | | 233 | .Dv stdout |
234 | instead of | | 234 | instead of |
235 | .Xr syslogd 8 . | | 235 | .Xr syslogd 8 . |
236 | .El | | 236 | .El |
237 | .Sh SIGNAL HANDLING | | 237 | .Sh SIGNAL HANDLING |
238 | .Nm | | 238 | .Nm |
239 | deals with the following signals: | | 239 | deals with the following signals: |
240 | .Bl -tag -width "USR2" | | 240 | .Bl -tag -width "USR2" |
241 | .It Dv HUP | | 241 | .It Dv HUP |
242 | Receipt of this signal causes | | 242 | Receipt of this signal causes |
243 | .Nm | | 243 | .Nm |
244 | to re-read the configuration file. | | 244 | to re-read the configuration file. |
245 | .It Dv INT , Dv TERM & Dv QUIT | | 245 | .It Dv INT , Dv TERM & Dv QUIT |
246 | These signals tell | | 246 | These signals tell |
247 | .Nm | | 247 | .Nm |
248 | to exit in an orderly fashion. | | 248 | to exit in an orderly fashion. |
249 | .It Dv USR1 | | 249 | .It Dv USR1 |
250 | This signal tells | | 250 | This signal tells |
251 | .Nm | | 251 | .Nm |
252 | to increase the internal debugging level by 1. | | 252 | to increase the internal debugging level by 1. |
253 | .It Dv USR2 | | 253 | .It Dv USR2 |
254 | This signal tells | | 254 | This signal tells |
255 | .Nm | | 255 | .Nm |
256 | to decrease the internal debugging level by 1. | | 256 | to decrease the internal debugging level by 1. |
257 | .El | | 257 | .El |
258 | .Sh FILES | | 258 | .Sh FILES |
259 | .Bl -tag -width /libexec/blacklistd-helper -compact | | 259 | .Bl -tag -width /libexec/blacklistd-helper -compact |
260 | .It Pa /libexec/blacklistd-helper | | 260 | .It Pa /libexec/blacklistd-helper |
261 | Shell script invoked to interface with the packet filter. | | 261 | Shell script invoked to interface with the packet filter. |
262 | .It Pa /etc/blacklistd.conf | | 262 | .It Pa /etc/blacklistd.conf |
263 | Configuration file. | | 263 | Configuration file. |
264 | .It Pa /var/db/blacklistd.db | | 264 | .It Pa /var/db/blacklistd.db |
265 | Database of current connection entries. | | 265 | Database of current connection entries. |
266 | .It Pa /var/run/blacklistd.sock | | 266 | .It Pa /var/run/blacklistd.sock |
267 | Socket to receive connection notifications. | | 267 | Socket to receive connection notifications. |
268 | .El | | 268 | .El |
269 | .Sh SEE ALSO | | 269 | .Sh SEE ALSO |
270 | .Xr blacklistd.conf 5 , | | 270 | .Xr blacklistd.conf 5 , |
271 | .Xr blacklistctl 8 , | | 271 | .Xr blacklistctl 8 , |
272 | .Xr npfctl 8 , | | 272 | .Xr npfctl 8 , |
273 | .Xr syslogd 8 | | 273 | .Xr syslogd 8 |
274 | .Sh HISTORY | | 274 | .Sh HISTORY |
275 | .Nm | | 275 | .Nm |
276 | first appeared in | | 276 | first appeared in |
277 | .Nx 7 . | | 277 | .Nx 7 . |
278 | .Fx | | 278 | .Fx |
279 | support for | | 279 | support for |
280 | .Nm | | 280 | .Nm |
281 | was implemented in | | 281 | was implemented in |
282 | .Fx 11 . | | 282 | .Fx 11 . |
283 | .Sh AUTHORS | | 283 | .Sh AUTHORS |
284 | .An Christos Zoulas | | 284 | .An Christos Zoulas |