Re: Removing bl[ao]cklist entries?

To: netbsd-users%netbsd.org@localhost
Subject: Re: Removing bl[ao]cklist entries?
From: christos%astron.com@localhost (Christos Zoulas)
Date: Tue, 29 Sep 2020 19:43:04 -0000 (UTC)

In article <20200929114430140782.47d64a07%spg.tu-darmstadt.de@localhost>,
Hauke Fath  <hf%spg.tu-darmstadt.de@localhost> wrote:
>All,
>
>we are protecting our mail server's smtp-auth logins with 
>bl[ao]cklistd*. It just so happens that every once in a while, careless 
>updates or configuration changes (don't ask) lead to legitimate 
>connections being blocked.
>
>In this case, there are two databases to fix: bl?cklistd's, and the 
>packet filter's state table. If I just go and remove the relevant entry 
>from the packet filter's (npf in this case) state table, I find myself 
>in a game of whack-a-mole, because bl?cklistd appears to re-create 
>entries corresponding to its database.
>
>And bl?cklistctl(8), despite its name, does not allow for removing 
>blocking entries.
>
>What is the proper procedure here, short of flushing both the 
>bl?cklistd database and all of the packet filter  entries?

I considered adding this functionality to blocklistctl, but decided
that it needed to be done carefully to avoid introducing security issues.

One way to do it would be to just use the client library to implement
the functionality to issue a success code for the address and port.
I think I will add it when I find some spare time.

christos

References:
- Removing bl[ao]cklist entries?
  - From: Hauke Fath

Prev by Date: Installation woes, NetBSD 9.0
Next by Date: Re: Installation woes, NetBSD 9.0
Previous by Thread: Removing bl[ao]cklist entries?
Next by Thread: Installation woes, NetBSD 9.0
Indexes:

Home | Main Index | Thread Index | Old Index