Other Blacklistd

[DavidMarec]

I read that a new daemon called blacklistd(8) is now available in FreeBSD 11, imported from the NetBSD project. If I well understood, it requires others network daemons, like sshd(8), to be patched to send information regarding connection attempts.

For now, what are the daemons that notifies connection failures on the suitable sockets?

 

[DavidMarec]

There were commits for fingerd(8),ftpd(8),rlogind(8),sshd(8),rshd(8) but, unfortunately, onto head only.

As far as I see, regarding to FreeBSD 11-RC1, ftpd(8) is the only one linked to this new blacklist(3) library.

It may be useful to have a list of the daemons using it (or even planned to).

Last, man pages about blacklist(d) still mention npf .

 

[wblock@]

Also supposed to be a patch for sendmail. I'm looking forward to that.

 

[Murph]

I rather like the overall look of it, there's just one thing I would change. Under heavier loads, I don't particularly like the fork+exec+interpret+fork+exec+open+ioctl model of using a shell script to do the blocking/unblocking. I can see myself throwing together a quick bit of C which talks to /dev/pf, and either sits inside blacklistd to do a simple ioctl, or reduces the action to a much faster fork+exec+open+ioctl without all the shell overhead and second fork+exec.

 

[DavidMarec]

Also supposed to be a patch for sendmail. I'm looking forward to that.

Right, but the patch request has been moved to ports tree, to keep the base version up to date with the upstream repository.

This sounds odd to me, I would have done the other way.