prx
/
iblock
forked from solene/iblock
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: prx:1a60f738f220e0b1aa8f3da106d94f449c766f14
Branches Tags
prx:main
prx:icanserve
solene:main
solene:fork
prx:1.0.1
prx:1.0.0
solene:1.0.0
solene:1.0.1
solene:1.0.2
solene:1.1.0
solene:1.1.1
solene:1.1.2
solene:1.1.3
...
compare: prx:a2702bad8405a0a56ba176c88bca6bdaee0049f7
Branches Tags
prx:icanserve
prx:main
solene:main
solene:fork
prx:1.0.1
prx:1.0.0
solene:1.0.0
solene:1.0.1
solene:1.0.2
solene:1.1.0
solene:1.1.1
solene:1.1.2
solene:1.1.3

5 Commits
1a60f738f2 ... a2702bad84

Author SHA1 Message Date
prx a2702bad84 fix PREFIX in readme 2022-09-18 14:31:03 +02:00
solene 747a833df3 Merge pull request 'iblock: kill established connections after the ban' (#3) from fork into main 
Reviewed-on: solene/iblock#3
 2022-09-17 15:25:57 +00:00
Solene Rapenne 1f21555152 iblock: kill established connections after the ban 2022-09-17 16:52:03 +02:00
solene f272f53c0c Merge pull request 'actually use cflags' (#2) from prx/iblock:main into main 
Reviewed-on: solene/iblock#2
 2022-08-30 07:26:22 +00:00
prx 7910b7ea11 actually use cflags 2022-08-25 10:04:53 +02:00
3 changed files with 18 additions and 7 deletions
Show Stats Expand all files Collapse all files

2
Makefile
View File

@ -9,7 +9,7 @@ PREFIX = /usr/local
all: iblock
iblock: main.c
${CC} -o iblock main.c
${CC} ${CFLAGS} -o iblock main.c
clean:
rm -f iblock

9
README.md
View File

@ -4,6 +4,7 @@ iblock is an inetd program adding the client IP to a Packet Filter table.
It is meant to be used to block scanner connecting on unused ports.
Upon connection, the IP is added to a PF table and all established connections with this IP are killed. You need to use a PF bloking rule using the table.
# How to use
@ -26,8 +27,8 @@ permit nopass _iblock cmd /sbin/pfctl
Start inetd service with this in `/etc/inetd.conf`:
```
666 stream tcp nowait _iblock /usr/local/bin/iblock iblock
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock
666 stream tcp nowait _iblock /usr/local/sbin/iblock iblock
666 stream tcp6 nowait _iblock /usr/local/sbin/iblock iblock
```
You can change the PF table by adding it as a parameter like this:
@ -35,8 +36,8 @@ You can change the PF table by adding it as a parameter like this:
In this example, the parameter `blocklist` will add IPs to the `blocklist` PF table.
```
666 stream tcp nowait _iblock /usr/local/bin/iblock iblock blocklist
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock blocklist
666 stream tcp nowait _iblock /usr/local/sbin/iblock iblock blocklist
666 stream tcp6 nowait _iblock /usr/local/sbin/iblock iblock blocklist
```
Default is "iblocked" table.

14
main.c
View File

@ -5,6 +5,7 @@
#include <netdb.h>
#include <netinet/in.h>
#include <syslog.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/socket.h>
@ -18,10 +19,11 @@ int main(int argc, char *argv[]){
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
char table[TABLE_LEN] = DEFAULT_TABLE;
int status = 0;
pid_t id;
if (unveil("/usr/bin/doas", "rx") != 0)
err(1, "unveil");
if (pledge("exec inet stdio", NULL) != 0)
if (pledge("exec inet proc stdio", NULL) != 0)
err(1, "pledge");
/* configuration */
@ -46,7 +48,15 @@ int main(int argc, char *argv[]){
switch (sock.ss_family) {
case AF_INET: /* FALLTHROUGH */
case AF_INET6:
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
id = fork();
// child process
if (id == 0) {
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
} else { // parent process
wait(NULL);
}
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-k", ip, NULL);
break;
default:
exit(2);