[src/trunk]: src/external/bsd/blacklist update docs

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a88b0989666b
branches:  trunk
changeset: 335694:a88b0989666b
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Jan 21 19:37:30 2015 +0000

description:
update docs

diffstat:

 external/bsd/blacklist/README           |  30 +++++++++++++++++++++---------
 external/bsd/blacklist/bin/blacklistd.8 |  11 +++++------
 2 files changed, 26 insertions(+), 15 deletions(-)

diffs (89 lines):

diff -r 66e3a71dad96 -r a88b0989666b external/bsd/blacklist/README
--- a/external/bsd/blacklist/README     Wed Jan 21 19:27:01 2015 +0000
+++ b/external/bsd/blacklist/README     Wed Jan 21 19:37:30 2015 +0000
@@ -34,17 +34,22 @@
 The configuration file contains entries of the form:
 
 # Blacklist rule
-# Port type    protocol        owner           nfail   disable
-ssh    stream  tcp             *               6       60m
-ssh    stream  tcp6            *               6       60m
+# host/Port    type    protocol        owner   name    nfail   disable
+192.168.1.1:ssh        stream  tcp             *       -int    10      1m
+8.8.8.8:ssh    stream  tcp             *       -ext    6       60m
+ssh            stream  tcp6            *       *       6       60m
+http           stream  tcp             *       *       6       60m
 
 Here note that owner is * because the connection is done from the
-child ssh socket which runs with user privs. We also register for
-both tcp and tcp6 since those are different listening sockets and
-addresses. We use nfail = 6, because ssh allows 3 password attempts
-per connection, and this will let us have 2 connections before
-blocking.  Finally we block for an hour; we could block forever
-too by specifying * in the duration column.
+child ssh socket which runs with user privs. We treat ipv4 connections
+differently by maintaining two different rules one for the external
+interface and one from the internal We also register for both tcp
+and tcp6 since those are different listening sockets and addresses;
+we don't bother with ipv6 and separate rules. We use nfail = 6,
+because ssh allows 3 password attempts per connection, and this
+will let us have 2 connections before blocking. Finally we block
+for an hour; we could block forever too by specifying * in the
+duration column.
 
 blacklistd and the library use syslog(3) to report errors. The
 blacklist filter state is persisted automatically in /var/db/blacklistd.db
@@ -59,13 +64,20 @@
 called blacklistd as follows:
 
 ext_if=bge0
+int_if=sk0
        
 group "external" on $ext_if {
        ...
+        ruleset "blacklistd-ext" 
         ruleset "blacklistd" 
        ...
 }
 
+group "internal" on $int_if {
+       ...
+        ruleset "blacklistd-int" 
+       ...
+}
 Enjoy,
 
 christos
diff -r 66e3a71dad96 -r a88b0989666b external/bsd/blacklist/bin/blacklistd.8
--- a/external/bsd/blacklist/bin/blacklistd.8   Wed Jan 21 19:27:01 2015 +0000
+++ b/external/bsd/blacklist/bin/blacklistd.8   Wed Jan 21 19:37:30 2015 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: blacklistd.8,v 1.1 2015/01/21 16:16:00 christos Exp $
+.\" $NetBSD: blacklistd.8,v 1.2 2015/01/21 19:37:30 christos Exp $
 .\" 
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -121,19 +121,18 @@
 at the beginning of a line.
 There must be an entry for each field; entries can be numeric or symbolic,
 where appropriate (
-.Dv service-name ,
+.Dv service ,
 .Dv user )
 and can be
 .Dq *
-for all fields except 
-.Dv nfail and
-.Dv duration :
+for all fields.
 The fields of the configuration file are as follows:
 .Bd -literal -offset indent
-service-name
+[address:]service
 socket-type
 protocol
 user
+rulename
 nfail
 duration
 .Ed