Thanks everyone for their feedback; there is a new blacklistd.tar.gz
in the same place (http://www.netbsd.org/~christos/blacklistd.tar.gz)
with the following new features:
- udp now works
- patches for named in addition to sshd
- efficiency fixes
- allow address selection and individual per blacklist rule npf
rule names
- NetBSD rc system integration
- linux and macosx port (cd port; autoreconf -f -i; make)
XXX: alas no iptables shell script (yet), and no packet filter
is MacOS/X
XXX: No packaging for linux and MacOS/X
- new TODO file
- multiple socket support to handle chrooted daemons (like syslogd)
Simple instructions:
- extract the tar, make includes && make && make install
- Apply the patches to sshd and named.
- Fix the named and sshd Makefiles, simply:
SRCS+=pfilter.c
LDADD+=-lblacklist
- Build and install
- Edit your npf.conf to add the blacklist dynamic ruleset, see the README
file for that.
- Edit your /etc/rc.conf to add:
blacklistd=YES
- Restart the daemons
env - /etc/rc.d/blacklistd restart
env - /etc/rc.d/named restart
env - /etc/rc.d/sshd restart
- See activity:
grep blacklistd /var/log/messages
- See blocked addresses
npfctl rule blacklistd list
Enjoy,
christos
