blacklistd

From: Michael Grimm <trashcan_at_ellael.org>
Date: Mon, 16 Jan 2023 14:43:03 UTC
[FreeBSD 13.1-STABLE stable/13-n253468-16dd69d46577]

Hi,

I recently configured blacklistd in order to get sshd and postfix submission monitored. 

It works sofar, but I do have some questions/observations to share:

1) IPv6 addresses in /etc/blacklistd.conf

According to the man page BLACKLISTD.CONF(5) I tried to get IPv6 addresses whitelisted in section [remote] like:

	The first field denotes the location as an address, mask, and port.  The
	syntax for the location is:

                   [<address>|<interface>][/<mask>][:<port>]

	The address can be an IPv4 address in numeric format, an IPv6 address in
	numeric format and enclosed by square brackets, or an interface name.


But this doesn't work as stated in the man page:

# adr/mask:port         type    proto   owner   name    nfail   disable
[remote]
[1:2:3:4::8]            *       *       *       *       *       *
——>
Jan 15 15:40:17 <daemon.err> VM blacklistd[61944]: getnum: /etc/blacklistd.conf, 15: Bad number for service []

[remote]
[1:2:3:4::8]/64         *       *       *       *       *       *
——>
Jan 15 15:38:07 <daemon.err> VM blacklistd[61748]: getnum: /etc/blacklistd.conf, 15: Bad number for service []

[remote]
[1:2:3:4::8]/64:        *       *       *       *       *       *
——>
Jan 15 15:39:32 <daemon.err> VM blacklistd[61825]: getnum: /etc/blacklistd.conf, 15: Bad number for service []

[remote]
[1:2:3:4::8]/64:*       *       *       *       *       *       *
——>
ok

IPv4 addresses work as advertised, but bracketed IPv6 addresses need an additional '/:*'

Two questions:

	1) bug or feature or misunderstanding from my side?
	2) Can a wildcard '*' be used in the meaning of 'any port'?





2) Whitelisting for a defined time period

I do have dynamically assigned IPv4 addresses from my internet provider that change every 24 hrs for the corresponding domains, e.g.: test.tld

# adr/mask:port      type    proto   owner   name    nfail   disable
[remote]
# dynamically assigned IPs:
test.tld:22          *       *       *       *       *       24h

When I do "abuse" my server out of 'test.tld' I get whitelisted, good, but the expected 24h time period for removal of the corresponding IPv4 address doesn't work as expected:

VM> blacklistctl dump -ar
        address/ma:port	id	nfail	remaining time
   1.2.3.4/32:22		2/*	never

Question: Can this be done anyhow?




Thanks in advance and regards,
Michael