Manual browser: blacklistd(8)

BLACKLISTD(8) System Manager's Manual BLACKLISTD(8)


blacklistd, — block and release ports on demand to avoid DoS abuse


blacklistd [-dfrv] [-C controlprog] [-c configfile] [-D dbfile] [-P sockpathsfile] [-R rulename] [-s sockpath] [-t timeout]


blacklistd is a daemon similar to syslogd(8) that listens to a sockets at paths specified in the sockpathsfile for notifications from other daemons about successful or failed connection attempts. If no such file is specified, then it only listens to the socket path specified by sockspath or if that is not specified to /var/run/blsock. Each notification contains an (action, port, protocol, address, owner) tuple that identifies the remote connection and the action. This tuple is consulted against entries in configfile with syntax specified in blacklistd.conf(5). If an entry is matched, a state entry is created for that tuple. Each entry contains a number of tries limit and a duration.

If the action is “add” and the number of tries limit is reached, then a control script controlprog is invoked with arguments:

control add <rulename> <proto> <address> <mask> <port>

and should invoke a packet filter command to block the connection specified by the arguments. The rulename argument can be set from the command line (default blacklistd). The script could print a numerical id to stdout as a handle for the rule that can be used later to remove that connection, but that is not required as all information to remove the rule is kept.

If the action is “remove” Then the same control script is invoked as:

control add <rulename> <proto> <address> <mask> <port>

where id is the number returned from the “add” action.

blacklistd maintains a database of known connections in dbfile. On startup it reads entries from that file, and updates its internal state. If the -f flag is specified, then the database is truncated an all the rules named rulename are deleted by invoking the control script as:

control flush <rulename>
If the -r flag is specified, the firewall rules are re-read from the internal database and are removed and re-added. This helps for packet filters that don't retain state across reboots.

blacklistd checks the list of active entries every timeout seconds (default 15) and removes entries and block rules using the control program as necessary.

Normally, blacklistd disassociates itself from the terminal and writes messages to syslogd(8), unless the -d flag is specified, in which case it stays in the foreground. The -v cases blacklistd to print diagnostic messages to stdout instead of syslogd(8).


Shell script invoked to interface with the packet filter.
Configuration file.
Database of current connection entries.
Socket to receive connection notifications.


blacklistd appeared in NetBSD 7.


Christos Zoulas
April 29, 2015 NetBSD 7.0