forked from solene/iblock
Compare commits
5 Commits
1a60f738f2
...
a2702bad84
Author | SHA1 | Date |
---|---|---|
prx | a2702bad84 | |
solene | 747a833df3 | |
Solene Rapenne | 1f21555152 | |
solene | f272f53c0c | |
prx | 7910b7ea11 |
2
Makefile
2
Makefile
|
@ -9,7 +9,7 @@ PREFIX = /usr/local
|
|||
all: iblock
|
||||
|
||||
iblock: main.c
|
||||
${CC} -o iblock main.c
|
||||
${CC} ${CFLAGS} -o iblock main.c
|
||||
|
||||
clean:
|
||||
rm -f iblock
|
||||
|
|
|
@ -4,6 +4,7 @@ iblock is an inetd program adding the client IP to a Packet Filter table.
|
|||
|
||||
It is meant to be used to block scanner connecting on unused ports.
|
||||
|
||||
Upon connection, the IP is added to a PF table and all established connections with this IP are killed. You need to use a PF bloking rule using the table.
|
||||
|
||||
# How to use
|
||||
|
||||
|
@ -26,8 +27,8 @@ permit nopass _iblock cmd /sbin/pfctl
|
|||
Start inetd service with this in `/etc/inetd.conf`:
|
||||
|
||||
```
|
||||
666 stream tcp nowait _iblock /usr/local/bin/iblock iblock
|
||||
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock
|
||||
666 stream tcp nowait _iblock /usr/local/sbin/iblock iblock
|
||||
666 stream tcp6 nowait _iblock /usr/local/sbin/iblock iblock
|
||||
```
|
||||
|
||||
You can change the PF table by adding it as a parameter like this:
|
||||
|
@ -35,8 +36,8 @@ You can change the PF table by adding it as a parameter like this:
|
|||
In this example, the parameter `blocklist` will add IPs to the `blocklist` PF table.
|
||||
|
||||
```
|
||||
666 stream tcp nowait _iblock /usr/local/bin/iblock iblock blocklist
|
||||
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock blocklist
|
||||
666 stream tcp nowait _iblock /usr/local/sbin/iblock iblock blocklist
|
||||
666 stream tcp6 nowait _iblock /usr/local/sbin/iblock iblock blocklist
|
||||
```
|
||||
|
||||
Default is "iblocked" table.
|
||||
|
|
14
main.c
14
main.c
|
@ -5,6 +5,7 @@
|
|||
#include <netdb.h>
|
||||
#include <netinet/in.h>
|
||||
#include <syslog.h>
|
||||
#include <sys/wait.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <sys/socket.h>
|
||||
|
@ -18,10 +19,11 @@ int main(int argc, char *argv[]){
|
|||
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
|
||||
char table[TABLE_LEN] = DEFAULT_TABLE;
|
||||
int status = 0;
|
||||
pid_t id;
|
||||
|
||||
if (unveil("/usr/bin/doas", "rx") != 0)
|
||||
err(1, "unveil");
|
||||
if (pledge("exec inet stdio", NULL) != 0)
|
||||
if (pledge("exec inet proc stdio", NULL) != 0)
|
||||
err(1, "pledge");
|
||||
|
||||
/* configuration */
|
||||
|
@ -46,7 +48,15 @@ int main(int argc, char *argv[]){
|
|||
switch (sock.ss_family) {
|
||||
case AF_INET: /* FALLTHROUGH */
|
||||
case AF_INET6:
|
||||
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
|
||||
id = fork();
|
||||
|
||||
// child process
|
||||
if (id == 0) {
|
||||
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
|
||||
} else { // parent process
|
||||
wait(NULL);
|
||||
}
|
||||
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-k", ip, NULL);
|
||||
break;
|
||||
default:
|
||||
exit(2);
|
||||
|
|
Loading…
Reference in New Issue