360319 |
25-Apr-2020 |
emaste |
MFC r360144: blacklistd.8: fix db file path
PR: 245781 Submitted by: Jose Luis Duran |
332571 |
16-Apr-2018 |
lidl |
MFC r328861: Update blacklist-helper to not emit messages from pf during operation.
Use 'pfctl -k' when blocking a site to kill active tcp connections from the blocked address.
Fix 'purge' operation for pf, which must dynamically determine which filters have been created, so the filters can be flushed by name. |
331080 |
16-Mar-2018 |
lidl |
Revert attempted MFC. It included unwanted changes. |
331079 |
16-Mar-2018 |
lidl |
MFC r328861: improve blacklist-helper shell script |
318950 |
26-May-2017 |
lidl |
MFC r318755: Extend libblacklist support with new action types
The original blacklist library supported two notification types: - failed auth attempt, which incremented the failed login count by one for the remote address - successful auth attempt, which reset the failed login count to zero for that remote address
When the failed login count reached the limit in the configuration file, the remote address would be blocked by a packet filter.
This patch implements a new notification type, "abusive behavior", and accepts, but does not act on an additional type, "bad username". It is envisioned that a system administrator will configure a small list of "known bad usernames" that should be blocked immediately.
Sponsored by: The FreeBSD Foundation |
318239 |
12-May-2017 |
lidl |
MFC r317802: Merge latest version of blacklist sources from NetBSD (@ 20170503)
Sponsored by: The FreeBSD Foundation |
314325 |
27-Feb-2017 |
lidl |
MFC r314120: Reset failed login count to zero when removing a blocked address
The blacklistd daemon keeps records of failed login attempts for each address:port that is flagged as a failed login. When a successful login occurs for that address:port combination, the record's last update time is set to zero, to indicate no current failed login attempts.
Reset the failed login count to zero, so that at the next failed login attempt, the counting will restart properly at zero. Without this reset to zero, the first failed login after a successful login will cause the address to be blocked immediately.
When debugging is turned on, output more information about database state before and after the database updates have occured.
A similar patch has already been upstreamed to NetBSD.
Sponsored by: The FreeBSD Foundation |
314324 |
27-Feb-2017 |
lidl |
MFC r314111: Improve ipfw rule creation for blacklist-helper script
When blocking an address, the blacklist-helper script needs to do the following things for the ipfw packet filter:
- create a table to hold the addresses to be blocked, so lookups can be done quickly, and place the address to be blocked in that table - create rule that does the lookup in the table and blocks the packet
The ipfw system allows multiple rules to be inserted for a given rule number. There only needs to be one rule to do the lookup per port. Modify the script to probe for the existence of the rule before attempting to create it, so only one rule is inserted, rather than one rule per blocked address.
PR: 214980 Reported by: azhegalov (at) gmail.com Reviewed by: emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D9681 |
307171 |
13-Oct-2016 |
lidl |
MFC r306695: Make blacklist-helper commands emit a message when successful
The blacklistd daemon expects to see a message on stdout, instead of just relying on the exit value from any invoked programs.
Change the pf filtering to create multiple filters, attached under a the "blacklist/*" anchor point. This prevents the filtering for each port's filtering rule from overwriting the previously installed filtering rule. Check for an existing filtering rule for each port, so the installation of a given filtering rule only happens once. Reinstalling the same rule resets the counters for the pf rule, and we don't want that.
Sponsored by: The FreeBSD Foundation |
306799 |
07-Oct-2016 |
lidl |
MFC r306508: Fix blacklistd's state restoral at startup
The blacklistd daemon attempted to restore the filtering rules before the database of blocked addresses was opened, so no rules were being reloaded. Now the rules are properly recreated when the daemon is started with '-r'.
This bug was fixed locally, and then sent upstream to NetBSD. This changeset is the import the NetBSD version of the change, which added debugging output to alert about a null database.
Sponsored by: The FreeBSD Foundation |
306798 |
07-Oct-2016 |
lidl |
MFC r306507: Update blacklistd.8 with changes from NetBSD
Sponsored by: The FreeBSD Foundation |
304028 |
12-Aug-2016 |
lidl |
MFC r303518: libblacklist: Do not use %m for logging, use strerror(errno)
The blacklist library can accept a function to use for logging, defaulting to vsyslog(), if no function is specified. Make the blacklist library use strerror(errno) explicitly, instead of %m, so that the passed in function does not need to support the syslog specific placeholder.
This matches a change already submitted and accepted upstream. Sponsored by: The FreeBSD Foundation |
302408 |
08-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
301843 |
12-Jun-2016 |
lidl |
Add ipfilter support to blacklistd-helper
In addition to adding initial support for the ipfilter packet filtering system, wrap a few long lines, perform whitespace cleanup and sync with upstream changes made in NetBSD.
Submitted by: cy Reviewed by: cy Approved by: re (hrs) Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D6823
|
301736 |
09-Jun-2016 |
lidl |
Add IPFW support to blacklistd-helper
Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D6753
|
301603 |
08-Jun-2016 |
garga |
Move misplaced break statement to right place
Reported by: Coverity CID: 1304340 Reviewed by: lidl Differential Revision: https://reviews.freebsd.org/D6749 Sponsored by: Rubicon Communications (Netgate)
|
301555 |
07-Jun-2016 |
lidl |
Bump dates in blacklist related manpages
Reported by: araujo Sponsored by: The FreeBSD Foundation
|
301552 |
07-Jun-2016 |
lidl |
Note blacklist support first appeared in FreeBSD 11
Reported by: jbeich Sponsored by: The FreeBSD Foundation
|
301219 |
02-Jun-2016 |
lidl |
Fixup path in NetBSD supplied documentation for FreeBSD
NetBSD installs the blacklist-helper script in /libexec, and it goes into /usr/libexec on FreeBSD. Update the docs to match FreeBSD's installation location.
Reviewed by: rpaulo Approved by: rpaulo Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D6592
|
301172 |
01-Jun-2016 |
lidl |
Import NetBSD's blacklist source from vendor tree
This import includes The basic blacklist library and utility programs, to add a system-wide packet filtering notification mechanism to FreeBSD.
The rational behind the daemon was given by Christos Zoulas in a presentation at vBSDcon 2015: https://youtu.be/fuuf8G28mjs
Reviewed by: rpaulo Approved by: rpaulo Obtained from: NetBSD Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5912
|
301169 |
01-Jun-2016 |
lidl |
Reviewed by: rpaulo Approved by: rpaulo Obtained from: NetBSD external/bsd/blacklist @ 20160409 Relnotes: YES Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D5912
|