Add basic blacklist build support

Reviewed by:	rpaulo
Approved by:	rpaulo
Relnotes:	YES
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D5913

6 files changed, 81 insertions, 2 deletions

diff --git a/etc/Makefile b/etc/Makefile
index 94c4473..99d905a 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -86,6 +86,10 @@ BIN1+= apmd.conf
 BIN1+=	auto_master
 .endif
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+BIN1+= blacklistd.conf
+.endif
+
 .if ${MK_FREEBSD_UPDATE} != "no"
 BIN1+= freebsd-update.conf
 .endif
diff --git a/etc/blacklistd.conf b/etc/blacklistd.conf
new file mode 100644
index 0000000..2b1cf87
--- /dev/null
+++ b/etc/blacklistd.conf
@@ -0,0 +1,17 @@
+# $FreeBSD$
+#
+# Blacklist rule
+# adr/mask:port	type	proto	owner		name	nfail	disable
+[local]
+ssh		stream	*	*		*	3	24h
+ftp		stream	*	*		*	3	24h
+smtp		stream	*	*		*	3	24h
+submission	stream	*	*		*	3	24h
+#6161		stream	tcp6	christos	*	2	10m
+*		*	*	*		*	3	60
+
+# adr/mask:port	type	proto	owner		name	nfail	disable
+[remote]
+#129.168.0.0/16	*	*	*		=	*	*
+#6161		=	=	=		=/24	=	=
+#*		stream	tcp	*		=	=	=
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 80061d1..8a5c07e 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -270,6 +270,8 @@ hastd_program="/sbin/hastd"	# path to hastd, if you want a different one.
 hastd_flags=""			# Optional flags to hastd.
 ctld_enable="NO"		# CAM Target Layer / iSCSI target daemon.
 local_unbound_enable="NO"	# local caching resolver
+blacklistd_enable="YES" 	# Run blacklistd daemon (YES/NO).
+blacklistd_flags=""		# Optional flags for blacklistd(8).
 
 #
 # kerberos. Do not run the admin daemons on slave servers
diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied
index f2f9e8a..850c10d 100755
--- a/etc/periodic/security/520.pfdenied
+++ b/etc/periodic/security/520.pfdenied
@@ -44,8 +44,14 @@ rc=0
 if check_yesno_period security_status_pfdenied_enable
 then
 	TMP=`mktemp -t security`
-	if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then
-	  check_diff new_only pf ${TMP} "${host} pf denied packets:"
+	touch ${TMP}
+	for _a in "" blacklistd
+	do
+		pfctl -a ${_a} -sr -v -z 2>/dev/null | \
+		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
+	done
+	if [ -s ${TMP} ]; then
+		check_diff new_only pf ${TMP} "${host} pf denied packets:"
 	fi
 	rc=$?
 	rm -f ${TMP}
diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile
index e5f15e7..2d195f1 100644
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@@ -17,6 +17,7 @@ FILES=	DAEMON \
 	auditd \
 	auditdistd \
 	bgfsck \
+	${_blacklistd} \
 	${_bluetooth} \
 	bridge \
 	${_bthidd} \
@@ -168,6 +169,10 @@ FILES+=		automountd
 FILES+=		autounmountd
 .endif
 
+.if ${MK_BLACKLIST_SUPPORT} != "no"
+_blacklistd+=	blacklistd
+.endif
+
 .if ${MK_BLUETOOTH} != "no"
 _bluetooth=	bluetooth
 _bthidd=	bthidd
diff --git a/etc/rc.d/blacklistd b/etc/rc.d/blacklistd
new file mode 100644
index 0000000..8e79250
--- /dev/null
+++ b/etc/rc.d/blacklistd
@@ -0,0 +1,45 @@
+#!/bin/sh
+#
+# Copyright (c) 2016 The FreeBSD Foundation
+# All rights reserved.
+#
+# This software was developed by Kurt Lidl under sponsorship from the
+# FreeBSD Foundation.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+# 
+# $FreeBSD$
+#
+
+# PROVIDE: blacklistd
+# REQUIRE: netif pf
+
+. /etc/rc.subr
+
+name="blacklistd"
+desc="System blacklist daemon"
+rcvar="blacklistd_enable"
+command="/usr/sbin/${name}"
+required_files="/etc/blacklistd.conf"
+
+load_rc_config $name
+run_rc_command "$1"