iblock is an inetd program adding the client IP to a Packet Filter table. It is meant to be used to block scanner connecting on unused ports.

Go to file

Solene Rapenne 517c24f322 Fix a check issue, from Quentin Rameau		2021-02-28 17:31:08 +01:00
LICENSE	Update license file	2021-02-25 20:43:52 +01:00
Makefile	Add simple Makefile with test suite	2021-02-26 00:10:27 +01:00
README.md	Add label in example and how to use it	2021-02-28 17:03:59 +01:00
main.c	Fix a check issue, from Quentin Rameau	2021-02-28 17:31:08 +01:00

README.md

iblock

iblock is an inetd program adding the client IP to a Packet Filter table.

It is meant to be used to block scanner connecting on unused ports.

How to use

Start inetd service with this in /etc/inetd.conf:

666 stream tcp nowait root /usr/local/bin/iblock iblock

Use this in /etc/pf.conf, choose which ports will trigger the ban from the variable:

# services triggering a block
blocking_tcp="{ 21 23 53 111 135 137:139 445 1433 25565 5432 3389 3306 27019 }"

table <blocked> persist

pass in quick on egress proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 666
block in quick from <blocked> label iblock

Done! You can see IP banned using pfctl -t blocked -T show and iBlock will log blocking too.

In the example I added a label to the block rule, you can use pfctl -s labels to view statistics from this rule, see documentation for column meaning.

TODO

make install doing something
A proper man page
Support IPv6
make it work with doas
pf table as a parameter