forked from solene/iblock
Compare commits
No commits in common. "a2702bad8405a0a56ba176c88bca6bdaee0049f7" and "1a60f738f220e0b1aa8f3da106d94f449c766f14" have entirely different histories.
a2702bad84
...
1a60f738f2
2
Makefile
2
Makefile
|
@ -9,7 +9,7 @@ PREFIX = /usr/local
|
||||||
all: iblock
|
all: iblock
|
||||||
|
|
||||||
iblock: main.c
|
iblock: main.c
|
||||||
${CC} ${CFLAGS} -o iblock main.c
|
${CC} -o iblock main.c
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
rm -f iblock
|
rm -f iblock
|
||||||
|
|
|
@ -4,7 +4,6 @@ iblock is an inetd program adding the client IP to a Packet Filter table.
|
||||||
|
|
||||||
It is meant to be used to block scanner connecting on unused ports.
|
It is meant to be used to block scanner connecting on unused ports.
|
||||||
|
|
||||||
Upon connection, the IP is added to a PF table and all established connections with this IP are killed. You need to use a PF bloking rule using the table.
|
|
||||||
|
|
||||||
# How to use
|
# How to use
|
||||||
|
|
||||||
|
@ -27,8 +26,8 @@ permit nopass _iblock cmd /sbin/pfctl
|
||||||
Start inetd service with this in `/etc/inetd.conf`:
|
Start inetd service with this in `/etc/inetd.conf`:
|
||||||
|
|
||||||
```
|
```
|
||||||
666 stream tcp nowait _iblock /usr/local/sbin/iblock iblock
|
666 stream tcp nowait _iblock /usr/local/bin/iblock iblock
|
||||||
666 stream tcp6 nowait _iblock /usr/local/sbin/iblock iblock
|
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock
|
||||||
```
|
```
|
||||||
|
|
||||||
You can change the PF table by adding it as a parameter like this:
|
You can change the PF table by adding it as a parameter like this:
|
||||||
|
@ -36,8 +35,8 @@ You can change the PF table by adding it as a parameter like this:
|
||||||
In this example, the parameter `blocklist` will add IPs to the `blocklist` PF table.
|
In this example, the parameter `blocklist` will add IPs to the `blocklist` PF table.
|
||||||
|
|
||||||
```
|
```
|
||||||
666 stream tcp nowait _iblock /usr/local/sbin/iblock iblock blocklist
|
666 stream tcp nowait _iblock /usr/local/bin/iblock iblock blocklist
|
||||||
666 stream tcp6 nowait _iblock /usr/local/sbin/iblock iblock blocklist
|
666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock blocklist
|
||||||
```
|
```
|
||||||
|
|
||||||
Default is "iblocked" table.
|
Default is "iblocked" table.
|
||||||
|
|
14
main.c
14
main.c
|
@ -5,7 +5,6 @@
|
||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#include <netinet/in.h>
|
#include <netinet/in.h>
|
||||||
#include <syslog.h>
|
#include <syslog.h>
|
||||||
#include <sys/wait.h>
|
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
|
@ -19,11 +18,10 @@ int main(int argc, char *argv[]){
|
||||||
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
|
char ip[INET6_ADDRSTRLEN] = {'\0'}; /* INET6_ADDRSTRLEN > INET_ADDRSTRLEN */
|
||||||
char table[TABLE_LEN] = DEFAULT_TABLE;
|
char table[TABLE_LEN] = DEFAULT_TABLE;
|
||||||
int status = 0;
|
int status = 0;
|
||||||
pid_t id;
|
|
||||||
|
|
||||||
if (unveil("/usr/bin/doas", "rx") != 0)
|
if (unveil("/usr/bin/doas", "rx") != 0)
|
||||||
err(1, "unveil");
|
err(1, "unveil");
|
||||||
if (pledge("exec inet proc stdio", NULL) != 0)
|
if (pledge("exec inet stdio", NULL) != 0)
|
||||||
err(1, "pledge");
|
err(1, "pledge");
|
||||||
|
|
||||||
/* configuration */
|
/* configuration */
|
||||||
|
@ -48,15 +46,7 @@ int main(int argc, char *argv[]){
|
||||||
switch (sock.ss_family) {
|
switch (sock.ss_family) {
|
||||||
case AF_INET: /* FALLTHROUGH */
|
case AF_INET: /* FALLTHROUGH */
|
||||||
case AF_INET6:
|
case AF_INET6:
|
||||||
id = fork();
|
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
|
||||||
|
|
||||||
// child process
|
|
||||||
if (id == 0) {
|
|
||||||
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-t", table, "-T", "add", ip, NULL);
|
|
||||||
} else { // parent process
|
|
||||||
wait(NULL);
|
|
||||||
}
|
|
||||||
execl("/usr/bin/doas", "doas", "/sbin/pfctl", "-k", ip, NULL);
|
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
exit(2);
|
exit(2);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user