iblock/README.md

# iblock

iblock is a program adding the client IP to a Packet Filter table.

It is meant to be used to block scanner connecting on unused ports.

Upon connection, the IP is added to a PF table and all established connections with this IP are killed.  You need to use a PF bloking rule using the table.

# How to use

## Add a dedicated user

```
useradd -s /sbin/nologin _iblock
```

## Configure doas

Add in `/etc/doas.conf`:

```
permit nopass _iblock cmd /sbin/pfctl
```

## Configure packet filter

Use this in `/etc/pf.conf`, choose which ports will trigger the ban from the variable:

```
# services triggering a block
blocking_tcp="{ 21 23 53 111 135 137:139 445 1433 25565 5432 3389 3306 27019 }"

table <iblocked> persist

block in quick from <iblocked> label iblock
# iblock listens on port 2507
pass in quick on egress inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507
pass in quick on egress inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507
```

Don't forget to reload the rules with `pfctl -f /etc/pf.conf`.

Use another table or port name by passing appropriate flags to iblock:

```
rcctl set iblock flags -t another_table_name -p 5373
```

# Get some statistics

Done! You can see IP banned using `pfctl -t iblocked -T show` and iblock will send blocked addresses to syslog.

In the example I added a label to the block rule, you can use `pfctl -s labels` to view statistics from this rule, [see documentation for column meaning](https://man.openbsd.org/pfctl#s~8).
Initial commit 2021-02-25 19:16:02 +01:00			`# iblock`

iblock is now its own server. inetd is no longer required. Some minor changes too: * doas is called with flag "-n", this avoid blocking iblock if doas ismisconfigured. * pfctl calls are run in separate fork process * iblock listening port is now the better 2507 instead of already used by other softwares 666. * Added a rc script to start iblock as daemon. 2022-10-08 14:08:57 +02:00			`iblock is a program adding the client IP to a Packet Filter table.`
Remove garbage chars 2021-02-25 20:43:58 +01:00
			`It is meant to be used to block scanner connecting on unused ports.`
Enhance README 2021-02-28 16:58:50 +01:00
iblock: kill established connections after the ban 2022-09-17 16:52:03 +02:00			`Upon connection, the IP is added to a PF table and all established connections with this IP are killed. You need to use a PF bloking rule using the table.`
Enhance README 2021-02-28 16:58:50 +01:00
			`# How to use`

Make use of doas mandatory to avoid running iblock as root. 2021-03-20 11:42:00 +01:00			`## Add a dedicated user`

			```
			`useradd -s /sbin/nologin _iblock`
			```

			`## Configure doas`

			Add in `/etc/doas.conf`:

			```
			`permit nopass _iblock cmd /sbin/pfctl`
			```

Documentation enhancement 2021-03-10 22:37:11 +01:00			`## Configure packet filter`

Enhance README 2021-02-28 16:58:50 +01:00			Use this in `/etc/pf.conf`, choose which ports will trigger the ban from the variable:

			```
			`# services triggering a block`
Add more ports in the example 2021-02-28 17:01:05 +01:00			`blocking_tcp="{ 21 23 53 111 135 137:139 445 1433 25565 5432 3389 3306 27019 }"`
Enhance README 2021-02-28 16:58:50 +01:00
iblock is now its own server. inetd is no longer required. Some minor changes too: * doas is called with flag "-n", this avoid blocking iblock if doas ismisconfigured. * pfctl calls are run in separate fork process * iblock listening port is now the better 2507 instead of already used by other softwares 666. * Added a rc script to start iblock as daemon. 2022-10-08 14:08:57 +02:00			`table <iblocked> persist`
Enhance README 2021-02-28 16:58:50 +01:00
iblock is now its own server. inetd is no longer required. Some minor changes too: * doas is called with flag "-n", this avoid blocking iblock if doas ismisconfigured. * pfctl calls are run in separate fork process * iblock listening port is now the better 2507 instead of already used by other softwares 666. * Added a rc script to start iblock as daemon. 2022-10-08 14:08:57 +02:00			`block in quick from <iblocked> label iblock`
			`# iblock listens on port 2507`
			`pass in quick on egress inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507`
			`pass in quick on egress inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507`
Enhance README 2021-02-28 16:58:50 +01:00			```

Documentation enhancement 2021-03-10 22:37:11 +01:00			Don't forget to reload the rules with `pfctl -f /etc/pf.conf`.

update manpage for new flags availables 2023-09-03 15:37:17 +02:00			`Use another table or port name by passing appropriate flags to iblock:`
iblock is now its own server. inetd is no longer required. Some minor changes too: * doas is called with flag "-n", this avoid blocking iblock if doas ismisconfigured. * pfctl calls are run in separate fork process * iblock listening port is now the better 2507 instead of already used by other softwares 666. * Added a rc script to start iblock as daemon. 2022-10-08 14:08:57 +02:00
			```
update manpage for new flags availables 2023-09-03 15:37:17 +02:00			`rcctl set iblock flags -t another_table_name -p 5373`
iblock is now its own server. inetd is no longer required. Some minor changes too: * doas is called with flag "-n", this avoid blocking iblock if doas ismisconfigured. * pfctl calls are run in separate fork process * iblock listening port is now the better 2507 instead of already used by other softwares 666. * Added a rc script to start iblock as daemon. 2022-10-08 14:08:57 +02:00			```

Documentation enhancement 2021-03-10 22:37:11 +01:00			`# Get some statistics`

iblock is now its own server. inetd is no longer required. Some minor changes too: * doas is called with flag "-n", this avoid blocking iblock if doas ismisconfigured. * pfctl calls are run in separate fork process * iblock listening port is now the better 2507 instead of already used by other softwares 666. * Added a rc script to start iblock as daemon. 2022-10-08 14:08:57 +02:00			Done! You can see IP banned using `pfctl -t iblocked -T show` and iblock will send blocked addresses to syslog.
Enhance README 2021-02-28 16:58:50 +01:00
Add label in example and how to use it 2021-02-28 17:03:59 +01:00			In the example I added a label to the block rule, you can use `pfctl -s labels` to view statistics from this rule, [see documentation for column meaning](https://man.openbsd.org/pfctl#s~8).