| 360319 |
25-Apr-2020 |
emaste |
MFC r360144: blacklistd.8: fix db file path
PR: 245781
Submitted by: Jose Luis Duran |
| 332571 |
16-Apr-2018 |
lidl |
MFC r328861: Update blacklist-helper to not emit messages from pf during operation.
Use 'pfctl -k' when blocking a site to kill active tcp connections
from the blocked address.
Fix 'purge' operation for pf, which must dynamically determine which
filters have been created, so the filters can be flushed by name. |
| 331080 |
16-Mar-2018 |
lidl |
Revert attempted MFC. It included unwanted changes. |
| 331079 |
16-Mar-2018 |
lidl |
MFC r328861: improve blacklist-helper shell script |
| 318950 |
26-May-2017 |
lidl |
MFC r318755: Extend libblacklist support with new action types
The original blacklist library supported two notification types:
- failed auth attempt, which incremented the failed login count
by one for the remote address
- successful auth attempt, which reset the failed login count
to zero for that remote address
When the failed login count reached the limit in the configuration
file, the remote address would be blocked by a packet filter.
This patch implements a new notification type, "abusive behavior",
and accepts, but does not act on an additional type, "bad username".
It is envisioned that a system administrator will configure a small
list of "known bad usernames" that should be blocked immediately.
Sponsored by: The FreeBSD Foundation |
| 318239 |
12-May-2017 |
lidl |
MFC r317802:
Merge latest version of blacklist sources from NetBSD (@ 20170503)
Sponsored by: The FreeBSD Foundation |
| 314325 |
27-Feb-2017 |
lidl |
MFC r314120: Reset failed login count to zero when removing a blocked address
The blacklistd daemon keeps records of failed login attempts for
each address:port that is flagged as a failed login. When a
successful login occurs for that address:port combination,
the record's last update time is set to zero, to indicate no current
failed login attempts.
Reset the failed login count to zero, so that at the next failed
login attempt, the counting will restart properly at zero. Without
this reset to zero, the first failed login after a successful login
will cause the address to be blocked immediately.
When debugging is turned on, output more information about database
state before and after the database updates have occured.
A similar patch has already been upstreamed to NetBSD.
Sponsored by: The FreeBSD Foundation |
| 314324 |
27-Feb-2017 |
lidl |
MFC r314111: Improve ipfw rule creation for blacklist-helper script
When blocking an address, the blacklist-helper script
needs to do the following things for the ipfw packet
filter:
- create a table to hold the addresses to be blocked,
so lookups can be done quickly, and place the address
to be blocked in that table
- create rule that does the lookup in the table and
blocks the packet
The ipfw system allows multiple rules to be inserted for
a given rule number. There only needs to be one rule
to do the lookup per port. Modify the script to probe
for the existence of the rule before attempting to create
it, so only one rule is inserted, rather than one rule per
blocked address.
PR: 214980
Reported by: azhegalov (at) gmail.com
Reviewed by: emaste
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D9681 |
| 307171 |
13-Oct-2016 |
lidl |
MFC r306695: Make blacklist-helper commands emit a message when successful
The blacklistd daemon expects to see a message on stdout, instead
of just relying on the exit value from any invoked programs.
Change the pf filtering to create multiple filters, attached under
a the "blacklist/*" anchor point. This prevents the filtering for
each port's filtering rule from overwriting the previously installed
filtering rule. Check for an existing filtering rule for each port,
so the installation of a given filtering rule only happens once.
Reinstalling the same rule resets the counters for the pf rule, and
we don't want that.
Sponsored by: The FreeBSD Foundation |
| 306799 |
07-Oct-2016 |
lidl |
MFC r306508: Fix blacklistd's state restoral at startup
The blacklistd daemon attempted to restore the filtering rules
before the database of blocked addresses was opened, so no rules
were being reloaded. Now the rules are properly recreated when the
daemon is started with '-r'.
This bug was fixed locally, and then sent upstream to NetBSD.
This changeset is the import the NetBSD version of the change,
which added debugging output to alert about a null database.
Sponsored by: The FreeBSD Foundation |
| 306798 |
07-Oct-2016 |
lidl |
MFC r306507: Update blacklistd.8 with changes from NetBSD
Sponsored by: The FreeBSD Foundation |
| 304028 |
12-Aug-2016 |
lidl |
MFC r303518:
libblacklist: Do not use %m for logging, use strerror(errno)
The blacklist library can accept a function to use for logging,
defaulting to vsyslog(), if no function is specified. Make the
blacklist library use strerror(errno) explicitly, instead of %m,
so that the passed in function does not need to support the
syslog specific placeholder.
This matches a change already submitted and accepted upstream.
Sponsored by: The FreeBSD Foundation |
| 302408 |
08-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.
Additional commits post-branch will follow.
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation |
| 301843 |
12-Jun-2016 |
lidl |
Add ipfilter support to blacklistd-helper
In addition to adding initial support for the ipfilter
packet filtering system, wrap a few long lines, perform
whitespace cleanup and sync with upstream changes made
in NetBSD.
Submitted by: cy
Reviewed by: cy
Approved by: re (hrs)
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6823
|
| 301736 |
09-Jun-2016 |
lidl |
Add IPFW support to blacklistd-helper
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6753
|
| 301603 |
08-Jun-2016 |
garga |
Move misplaced break statement to right place
Reported by: Coverity
CID: 1304340
Reviewed by: lidl
Differential Revision: https://reviews.freebsd.org/D6749
Sponsored by: Rubicon Communications (Netgate)
|
| 301555 |
07-Jun-2016 |
lidl |
Bump dates in blacklist related manpages
Reported by: araujo
Sponsored by: The FreeBSD Foundation
|
| 301552 |
07-Jun-2016 |
lidl |
Note blacklist support first appeared in FreeBSD 11
Reported by: jbeich
Sponsored by: The FreeBSD Foundation
|
| 301219 |
02-Jun-2016 |
lidl |
Fixup path in NetBSD supplied documentation for FreeBSD
NetBSD installs the blacklist-helper script in /libexec, and
it goes into /usr/libexec on FreeBSD. Update the docs to
match FreeBSD's installation location.
Reviewed by: rpaulo
Approved by: rpaulo
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6592
|
| 301172 |
01-Jun-2016 |
lidl |
Import NetBSD's blacklist source from vendor tree
This import includes The basic blacklist library and utility programs,
to add a system-wide packet filtering notification mechanism to
FreeBSD.
The rational behind the daemon was given by Christos Zoulas in a
presentation at vBSDcon 2015: https://youtu.be/fuuf8G28mjs
Reviewed by: rpaulo
Approved by: rpaulo
Obtained from: NetBSD
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5912
|
| 301169 |
01-Jun-2016 |
lidl |
Reviewed by: rpaulo
Approved by: rpaulo
Obtained from: NetBSD external/bsd/blacklist @ 20160409
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5912
|