Blacklistd explain more please with more examples

[Angel Hess]

I was setting up Blacklistd. With the detail from this page

FreeBSD 11.0 Blacklistd Notes

I don't understand some of the english or the description when it gets down to this line
ipfw -q add 2022 drop tcp from table(port22) to any dst-port 22

I am using ipfw. Is that above command the way to activate spesific parts of the block for a specific program? Please send me a few more example commands with the above format. For example what is the command for a email server? What is the command for a web server? And so on. Yeah obviously change the ports. Is that command really all that literal with words like "from" in the command you do in terminal? It seems strange, the command format. So I want more examples before I try doing the command. Please. Thanks!

 

[Cath O'Deray]

Does the blacklistd section of the FreeBSD Handbook help? I imagine not, for the examples that you'd like … and I can't find much of use elsewhere in FreeBSD areas or the wider Internet (sorry).

Spoiler: a search of FreeBSD project documentation

% rg --count --sort path blacklistd /usr/doc
/usr/doc/documentation/content/de/books/handbook/firewalls/_index.adoc:22
/usr/doc/documentation/content/en/articles/contributors/contrib-develinmemoriam.adoc:1
/usr/doc/documentation/content/en/articles/contributors/contrib-develinmemoriam.po:1
/usr/doc/documentation/content/en/books/handbook/firewalls/_index.adoc:36
/usr/doc/documentation/content/en/books/handbook/firewalls/_index.po:35
/usr/doc/documentation/content/es/articles/contributors/contrib-develinmemoriam.adoc:1
/usr/doc/documentation/content/es/articles/contributors/contrib-develinmemoriam.po:2
/usr/doc/documentation/content/pl/books/handbook/firewalls/_index.adoc:23
/usr/doc/documentation/content/pt-br/articles/contributors/contrib-develinmemoriam.adoc:1
/usr/doc/documentation/content/pt-br/articles/contributors/contrib-develinmemoriam.po:2
/usr/doc/documentation/content/pt-br/books/handbook/firewalls/_index.adoc:22
/usr/doc/documentation/content/zh-tw/books/handbook/firewalls/_index.adoc:23
/usr/doc/website/content/en/releases/11.0R/relnotes.adoc:3
/usr/doc/website/content/en/releases/11.1R/announce.adoc:1
/usr/doc/website/content/en/releases/11.1R/announce.asc:1
/usr/doc/website/content/en/releases/11.1R/relnotes.adoc:3
/usr/doc/website/content/en/releases/12.4R/relnotes.adoc:1
/usr/doc/website/static/security/advisories/FreeBSD-SA-24:08.openssh.asc:1
/usr/doc/website/static/status/report-2016-04-2016-06.html:2
/usr/doc/website/static/status/report-2016-07-2016-09.html:2
/usr/doc/website/static/status/report-2016-10-2016-12.html:2
/usr/doc/website/static/status/report-2017-01-2017-03.html:2
/usr/doc/website/static/status/report-2017-04-2017-06.html:1
/usr/doc/website/static/status/report-2017-07-2017-09.html:1
/usr/doc/website/static/status/report-2018-01-2018-09.html:1
/usr/doc/website/static/status/report-2019-01-2019-03.html:1
/usr/doc/website/static/status/report-2019-10-2019-12.html:1
%

(I'm vaguely interested, because I might need to watch and/or block traffic for a while, and the last time I did this was with Little Snitch on Mac OS X.)

 

[richardtoohey2]

From the link it says:

”It creates a named table (eg: port22) and then just inserts the bad actors into that table”

I don’t use ipfw but I read the link and the command as follows:

Drop TCP traffic destined for port 22 if the IP is in the table named port22.

It is not clear what creates that table - it says the helper script builds the rules with numbers in the 2000 range plus port number hence rule number 2022 (2000 + 22). Would assume the helper script has rules creating the table,

Yes, ipfw and pf are “wordy”.