CVS commit: src/external/bsd/blocklist/etc

[Christos Zoulas]

Module Name:    src
Committed By:   christos
Date:           Wed Feb  5 20:24:27 UTC 2025

Modified Files:
        src/external/bsd/blocklist/etc: Makefile
Added Files:
        src/external/bsd/blocklist/etc: ipf.conf

Log Message:
PR/22: robohack: add an ipf.conf example


To generate a diff of this commit:
cvs rdiff -u -r1.1.1.1 -r1.2 src/external/bsd/blocklist/etc/Makefile
cvs rdiff -u -r0 -r1.1 src/external/bsd/blocklist/etc/ipf.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/external/bsd/blocklist/etc/Makefile
diff -u src/external/bsd/blocklist/etc/Makefile:1.1.1.1 src/external/bsd/blocklist/etc/Makefile:1.2
--- src/external/bsd/blocklist/etc/Makefile:1.1.1.1	Sun Jun 14 21:52:53 2020
+++ src/external/bsd/blocklist/etc/Makefile	Wed Feb  5 15:24:26 2025
@@ -1,10 +1,10 @@
-#	$NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $
+#	$NetBSD: Makefile,v 1.2 2025/02/05 20:24:26 christos Exp $
 
-SUBDIR=rc.d
+SUBDIR=		rc.d
 
-FILESDIR=               /usr/share/examples/blocklist
-FILESMODE=    644
-FILES=	blocklistd.conf npf.conf
+FILESDIR=	/usr/share/examples/blocklist
+FILESMODE=	644
+FILES=		blocklistd.conf ipf.conf npf.conf
 
 .include <bsd.files.mk>
 .include <bsd.subdir.mk>

Added files:

Index: src/external/bsd/blocklist/etc/ipf.conf
diff -u /dev/null src/external/bsd/blocklist/etc/ipf.conf:1.1
--- /dev/null	Wed Feb  5 15:24:27 2025
+++ src/external/bsd/blocklist/etc/ipf.conf	Wed Feb  5 15:24:26 2025
@@ -0,0 +1,45 @@
+#========================================
+#
+#	subsection for abuse blocking
+#
+#========================================
+#
+# This section should be included early in the main /etc/ipf.conf file, right
+# after any basic generic accounting ("count") rules, and any cleanup rules to
+# block invalid fragments, invalid options (e.g. "ssrr"), etc.
+#
+# Note these will not actually block anything since they don't include the
+# "quick" flag, and are thus part of a last-match group.  They simply set up a
+# group such that any connection logging rule further below won't also match if
+# one of the rules in the group matches, no matter when or where the subsequent
+# matching rule is added.  I.e. all rules in the group are checked for a match
+# (and a possible "first match" with "quick") before any subsequent rules
+# further below are used.  Note group rules can be added at any time, including
+# at runtime after all other rules have been added -- they will still belong to
+# the group and once added will be checked as part of the group.
+#
+#	head of "blocklistd" group:
+#
+# The "blocklistd" group will be used by blocklistd(8).
+#
+block in proto tcp/udp from any to any head blocklistd
+#
+#	head of "attackers" group to block all attackers:
+#
+# The "attackers" group is intended to be used for manually maintained rules
+# e.g. as could be added like this:
+#
+#	echo 'block return-rst in log quick proto tcp from 118.136.0.0/15 to any flags S/SAFR group attackers' >> /etc/ipf.conf
+#	/etc/rc.d/ipfliter reload
+#
+# Note the choice in this example is to return RST packets for blocked SYN
+# packets to help the other end close.  This is not necessary, but it better
+# mimics what the kernel does by default, thus perhaps hiding the fact a
+# firewall is present.
+#
+# XXX This example still allows UDP services, but we would need to duplicate
+# each rule with "proto udp" (and without "flags blah") due to IPF parsing
+# limitations....
+#
+block in proto tcp/udp from any to any head attackers
+#