hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-29 04:21:26 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
291079d0eb
HardenedBSD/contrib/blocklist/libexec/blacklistd-helper
Ed Maste 5f4c09dd85 Track upstream project rename in contrib/blocklistd 
Upstream is now https://github.com/zoulasc/blocklist/.  Rename the
contrib directory and update Makefiles to match, in advance of the next
vendor branch update.

Sponsored by:	The FreeBSD Foundation
2023-11-03 16:53:04 -04:00

135 lines
2.7 KiB
Bash
Raw Blame History

#!/bin/sh
#echo "run $@" 1>&2
#set -x
# $1 command
# $2 rulename
# $3 protocol
# $4 address
# $5 mask
# $6 port
# $7 id
pf=
if [ -f "/etc/ipfw-blacklist.rc" ]; then
pf="ipfw"
. /etc/ipfw-blacklist.rc
ipfw_offset=${ipfw_offset:-2000}
fi
if [ -z "$pf" ]; then
for f in npf pf ipf; do
if [ -f "/etc/$f.conf" ]; then
pf="$f"
break
fi
done
fi
if [ -z "$pf" ]; then
echo "$0: Unsupported packet filter" 1>&2
exit 1
fi
if [ -n "$3" ]; then
proto="proto $3"
fi
if [ -n "$6" ]; then
port="port $6"
fi
addr="$4"
mask="$5"
case "$4" in
::ffff:*.*.*.*)
if [ "$5" = 128 ]; then
mask=32
addr=${4#::ffff:}
fi;;
esac
case "$1" in
add)
case "$pf" in
ipf)
/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
echo block in quick $proto from $addr/$mask to \
any port=$6 head port$6 | \
/sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK
;;
ipfw)
# use $ipfw_offset+$port for rule number
rule=$(($ipfw_offset + $6))
tname="port$6"
/sbin/ipfw table $tname create type addr 2>/dev/null
/sbin/ipfw -q table $tname add "$addr/$mask"
# if rule number $rule does not already exist, create it
/sbin/ipfw show $rule >/dev/null 2>&1 || \
/sbin/ipfw add $rule drop $3 from \
table"("$tname")" to any dst-port $6 >/dev/null && \
echo OK
;;
npf)
/sbin/npfctl rule "$2" add block in final $proto from \
"$addr/$mask" to any $port
;;
pf)
# if the filtering rule does not exist, create it
/sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \
grep -q "<port$6>" || \
echo "block in quick $proto from <port$6> to any $port" | \
/sbin/pfctl -a "$2/$6" -f -
# insert $ip/$mask into per-protocol/port anchored table
/sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
/sbin/pfctl -qk "$addr" && echo OK
;;
esac
;;
rem)
case "$pf" in
ipf)
/sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1
echo block in quick $proto from $addr/$mask to \
any port=$6 head port$6 | \
/sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK
;;
ipfw)
/sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \
echo OK
;;
npf)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
/sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
echo OK
;;
esac
;;
flush)
case "$pf" in
ipf)
/sbin/ipf -Z -I -Fi -s > /dev/null && echo OK
;;
ipfw)
/sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
;;
npf)
/sbin/npfctl rule "$2" flush
;;
pf)
# dynamically determine which anchors exist
for anchor in $(/sbin/pfctl -a "$2" -s Anchors); do
/sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
/sbin/pfctl -a $anchor -F rules
done
echo OK
;;
esac
;;
*)
echo "$0: Unknown command '$1'" 1>&2
exit 1
;;
esac
Reference in New Issue View Git Blame Copy Permalink