On 23/05/2018 12:27, Patrick Welche wrote:
The only reason I said that is that I did this on NetBSD 7-stable where the /libexec/blacklistd-helper that gets installed only contains support for npf.On Tue, May 22, 2018 at 11:03:34AM +0100, Stephen Borrill wrote:While it worked okay I found that the number of firewall rules it produced crept up to be stupidly large over time. This plus the startup anoyance made me switch to blacklistd. I'm still using ipf as a firewall so I cooked my own custom script to integrate it with ipf (it defaults to npf) based on the scripts that FreeBSD provides.Nice, care to share your ipf-interfacing script (and/or make it commitable)?If you mean blacklistd + ipf, doesn't it already "just work"? (Surprised to see "npf only" comment earlier in thread: /usr/src/external/bsd/blacklist/libexec/blacklistd-helper
When I read your e-mail I checked my 8.0 machine and this script has changed to support all types of firewall which is good :). I'd still need my custom script as the default insertion logic wouldn't work for me as I'm inserting rules into an existing firewall ruleset rather than using the firewall just for blacklisting. So I'm inserting my ipf rules into a specific blacklistd group so I can control at what point in my global ruleset the blacklist gets applied. If anyone still wants my script (And a skeleton ipf.conf) for this alternate usecase I'm happy to share.
I'm going to be attempting to reproduce it in npf as well as I've got an updated firewall box to deploy which I'm hoping will use npf instead of ipf (assuming I can make npf do everything I want).
Mike