Re: blacklistd is now available for current (comments?)

[christos%zoulas.com@localhost (Christos Zoulas)]

On Jan 21,  3:43pm, jarle%uninett.no@localhost (Jarle Greipsland) wrote:
-- Subject: Re: blacklistd is now available for current (comments?)

| > # Blacklist rule
| > # Port	type	protocol	owner		nfail	disable
| > ssh	stream	tcp		*		6	60m
| > ssh	stream	tcp6		*		6	60m
| What about hosts with multiple addresses and multiple instances
| of the same daemon?  I.e. an ssh daemon for ordinary login on IP
| address a.b.c.d, and an anoncvs ssh daemon on a.b.c.e, and you
| want different policies for how to blacklist remote clients?
| Maybe do something like postfix, and allow a.b.c.d:ssh as a
| service specifier instead of just a port number/name?

The current implementation of groups and rules on npf is interface-specific,
and it is not finalized yet. I considered adding per interface rules, but
that introduces complexity. Perhaps I will add a flag to the daemon to
handle this, making the configuration line look like:

# external interface
ssh	stream	tcp6	bge0	*		6	60m
# internal interface
ssh	stream	tcp6	sk0	*		*	*

and then automatically create the rule "blacklistd-bge0", etc.
* again there will mean all the interfaces. This does not handle
though the case of multiple addresses on the same interface. Should
it handle that too? It would be easy to extend the syntax to handle
address:port in the first field.

christos