diff options
author | lidl <lidl@FreeBSD.org> | 2016-06-02 19:06:04 +0000 |
---|---|---|
committer | lidl <lidl@FreeBSD.org> | 2016-06-02 19:06:04 +0000 |
commit | 6f31a383cc6d2459585d754d3d30f980487df06f (patch) | |
tree | 45c1a8bc32e7b9d60122086211c8fa6df289de16 /etc | |
parent | 44920da28cde32f352e76a4220b068c8f623c60d (diff) | |
download | FreeBSD-src-6f31a383cc6d2459585d754d3d30f980487df06f.zip FreeBSD-src-6f31a383cc6d2459585d754d3d30f980487df06f.tar.gz |
Add basic blacklist build support
Reviewed by: rpaulo
Approved by: rpaulo
Relnotes: YES
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D5913
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Makefile | 4 | ||||
-rw-r--r-- | etc/blacklistd.conf | 17 | ||||
-rw-r--r-- | etc/defaults/rc.conf | 2 | ||||
-rwxr-xr-x | etc/periodic/security/520.pfdenied | 10 | ||||
-rw-r--r-- | etc/rc.d/Makefile | 5 | ||||
-rw-r--r-- | etc/rc.d/blacklistd | 45 |
6 files changed, 81 insertions, 2 deletions
diff --git a/etc/Makefile b/etc/Makefile index 94c4473..99d905a 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -86,6 +86,10 @@ BIN1+= apmd.conf BIN1+= auto_master .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +BIN1+= blacklistd.conf +.endif + .if ${MK_FREEBSD_UPDATE} != "no" BIN1+= freebsd-update.conf .endif diff --git a/etc/blacklistd.conf b/etc/blacklistd.conf new file mode 100644 index 0000000..2b1cf87 --- /dev/null +++ b/etc/blacklistd.conf @@ -0,0 +1,17 @@ +# $FreeBSD$ +# +# Blacklist rule +# adr/mask:port type proto owner name nfail disable +[local] +ssh stream * * * 3 24h +ftp stream * * * 3 24h +smtp stream * * * 3 24h +submission stream * * * 3 24h +#6161 stream tcp6 christos * 2 10m +* * * * * 3 60 + +# adr/mask:port type proto owner name nfail disable +[remote] +#129.168.0.0/16 * * * = * * +#6161 = = = =/24 = = +#* stream tcp * = = = diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 80061d1..8a5c07e 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -270,6 +270,8 @@ hastd_program="/sbin/hastd" # path to hastd, if you want a different one. hastd_flags="" # Optional flags to hastd. ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. local_unbound_enable="NO" # local caching resolver +blacklistd_enable="YES" # Run blacklistd daemon (YES/NO). +blacklistd_flags="" # Optional flags for blacklistd(8). # # kerberos. Do not run the admin daemons on slave servers diff --git a/etc/periodic/security/520.pfdenied b/etc/periodic/security/520.pfdenied index f2f9e8a..850c10d 100755 --- a/etc/periodic/security/520.pfdenied +++ b/etc/periodic/security/520.pfdenied @@ -44,8 +44,14 @@ rc=0 if check_yesno_period security_status_pfdenied_enable then TMP=`mktemp -t security` - if pfctl -sr -v -z 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' > ${TMP}; then - check_diff new_only pf ${TMP} "${host} pf denied packets:" + touch ${TMP} + for _a in "" blacklistd + do + pfctl -a ${_a} -sr -v -z 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} + done + if [ -s ${TMP} ]; then + check_diff new_only pf ${TMP} "${host} pf denied packets:" fi rc=$? rm -f ${TMP} diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index e5f15e7..2d195f1 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -17,6 +17,7 @@ FILES= DAEMON \ auditd \ auditdistd \ bgfsck \ + ${_blacklistd} \ ${_bluetooth} \ bridge \ ${_bthidd} \ @@ -168,6 +169,10 @@ FILES+= automountd FILES+= autounmountd .endif +.if ${MK_BLACKLIST_SUPPORT} != "no" +_blacklistd+= blacklistd +.endif + .if ${MK_BLUETOOTH} != "no" _bluetooth= bluetooth _bthidd= bthidd diff --git a/etc/rc.d/blacklistd b/etc/rc.d/blacklistd new file mode 100644 index 0000000..8e79250 --- /dev/null +++ b/etc/rc.d/blacklistd @@ -0,0 +1,45 @@ +#!/bin/sh +# +# Copyright (c) 2016 The FreeBSD Foundation +# All rights reserved. +# +# This software was developed by Kurt Lidl under sponsorship from the +# FreeBSD Foundation. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# PROVIDE: blacklistd +# REQUIRE: netif pf + +. /etc/rc.subr + +name="blacklistd" +desc="System blacklist daemon" +rcvar="blacklistd_enable" +command="/usr/sbin/${name}" +required_files="/etc/blacklistd.conf" + +load_rc_config $name +run_rc_command "$1" |