Module Name: src Committed By: wiz Date: Fri Feb 9 00:53:30 UTC 2024
Modified Files: src/external/bsd/blocklist: README Log Message: Spelling fixes To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/external/bsd/blocklist/README Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/blocklist/README diff -u src/external/bsd/blocklist/README:1.2 src/external/bsd/blocklist/README:1.3 --- src/external/bsd/blocklist/README:1.2 Mon Jun 15 21:27:57 2020 +++ src/external/bsd/blocklist/README Fri Feb 9 00:53:30 2024 @@ -1,4 +1,4 @@ -# $NetBSD: README,v 1.2 2020/06/15 21:27:57 christos Exp $ +# $NetBSD: README,v 1.3 2024/02/09 00:53:30 wiz Exp $ This package contains library that can be used by network daemons to communicate with a packet filter via a daemon to enforce opening and @@ -15,7 +15,7 @@ blocklistd=YES in /etc/rc.conf, start it There is also a startup file in etc/rc.d/blocklistd -Patches to various daemons to add blocklisting capabilitiers are in the +Patches to various daemons to add blocklisting capabilities are in the "diff" directory: - OpenSSH: diff/ssh.diff [tcp socket example] - Bind: diff/named.diff [both tcp and udp] @@ -24,7 +24,7 @@ Patches to various daemons to add blockl These patches have been applied to NetBSD-current. The network daemon (for example sshd) communicates to blocklistd, via -a unix socket like syslog. The library calls are simple and everything +a Unix socket like syslog. The library calls are simple and everything is handled by the library. In the simplest form the only thing the daemon needs to do is to call: @@ -60,11 +60,11 @@ ssh stream tcp6 * * 6 60m http stream tcp * * 6 60m Here note that owner is * because the connection is done from the -child ssh socket which runs with user privs. We treat ipv4 connections +child ssh socket which runs with user privs. We treat IPv4 connections differently by maintaining two different rules one for the external interface and one from the internal We also register for both tcp and tcp6 since those are different listening sockets and addresses; -we don't bother with ipv6 and separate rules. We use nfail = 6, +we don't bother with IPv6 and separate rules. We use nfail = 6, because ssh allows 3 password attempts per connection, and this will let us have 2 connections before blocking. Finally we block for an hour; we could block forever too by specifying * in the @@ -100,7 +100,7 @@ group "internal" on $int_if { You can use 'blocklistctl dump -a' to list all the current entries in the database; the ones that have nfail <c>/<t> where <c>urrent ->= <t>otal, should have an id assosiated with them; this means that +>= <t>otal, should have an id associated with them; this means that there is a packet filter rule added for that entry. For npf, you can examine the packet filter dynamic rule entries using 'npfctl rule <rulename> list'. The number of current entries can exceed