How to setup IPFW working with blacklistd

Cos Chan rosettas at
Mon Nov 6 15:41:44 UTC 2017

On Mon, Nov 6, 2017 at 3:09 PM, Ian Smith <smithi at> wrote:

> In freebsd-questions Digest, Vol 701, Issue 1, Message: 10
> On Mon, 6 Nov 2017 09:38:40 +0100 Cos Chan <rosettas at> wrote:
>  > Hi All
>  >
>  > I would run IPFW with blacklistd, my FreeBSD is 11.1-RELEASE-p1.
>  >
>  > my blacklistd is working fine to get sshd failed login attempts.
>  > The out put:
>  >
>  > $ sudo blacklistctl dump -b
>  >         address/ma:port id      nfail   last access
>  >           3/-1    2017/11/05 01:05:34
>  >           3/-1    2017/11/05 13:22:53
>  >
>  > but I can't find information how to use the blacklistd database in IPFW
>  > from IPFW manpage
>  >
>  > would anybody explain that to me?
> By all means work with Carmel's offer to look at parsing the database
> output.  All I know about blacklistd(8), blacklistd.conf(5) and
> blacklistctl(8) is what I just now read skimming these manual pages.
> However I was surprised to see no mention of using tables rather than
> add)ing or rem)oving individual firewall rules - and you can't use
> 'flush' on individual rules in ipfw(8), only on whole sets of rules.
> Amother problem with adding/removing individual rules is you need to
> allocate a large enough block of rules, then specify distinct rule
> numbers to ipfw(8).  Messy and error-prone, especially for deleting.
> So you might need to replace or modify /usr/libexec/blacklistd-helper,
> which I haven't seen but assume is a script, to use its parameters to
> generate commands more like:
>  /sbin/ipfw table $TABLENAME add addr[/masklen] [value]
> and
>  /sbin/ipfw table $OTHERNAME delete addr[/masklen]
> as appropriate.  This is immensely more efficient than adding and
> deleting single rules on the fly, moreso if there are many entries.
> When adding entries, the optional [value] might be a latest timestamp,
> or an expiry timestamp, or anything else you might find useful.
> Of course you may need a number of different tables, for blocking ssh,
> webhosts, mailserver or other services, but then need just a few rules
> dedicated to denying (or even specifically enabling) hosts or ports to
> addr[/masklen/ entries in a particular table.
>  ipfw add deny tcp from table \($SPAMMERS\) to any 25,587 setup
>  ipfw add deny tcp from table \($SSHBADGUYS\) to me 22 setup
>  ipfw add deny all from table \($REALLYNASTY\) to any in
> and such.  Tables really are the way to go for this sort of thing.

thanks, I studied the /usr/libexec/blacklistd-helper, looks like it is good
as you said but it needs ipfw-blacklist.rc for ipfw?

if [ -f "/etc/ipfw-blacklist.rc" ]; then
        . /etc/ipfw-blacklist.rc

I could not find this file in /etc/

the rc.conf file was modified to:

blacklistd_flags="-C /usr/libexec/blacklistd-helper"

and the blacklistd restarted but no luck yet.

> cheers, Ian

with kind regards

More information about the freebsd-questions mailing list