The net/iblock port
iblock-1.1.2 – inetd program to blackhole IPs connecting to it (cvsweb github mirror)
Description
iblock is an inetd program adding the client IP to a Packet Filter table. It is meant to be listening on a port with inetd and receive connections with PF redirecting connections from a list of ports you want to block.WWW: https://tildegit.org/solene/iblock/
Readme
+-------------------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-------------------------------------------------------------------------------
Add doas permission
===================
```
# /etc/doas.conf
permit nopass _iblock cmd /sbin/pfctl
```
Configure inetd
===============
In order to run iblock, you need to modify /etc/inetd.conf:
```
# inetd.conf
666 stream tcp nowait _iblock ${LOCALBASE}/sbin/iblock iblock iblocked
666 stream tcp6 nowait _iblock ${LOCALBASE}/sbin/iblock iblock iblocked
```
Enable inetd service
====================
You need to enable and start inetd.
```
$ rcctl enable inetd
$ rcctl start inetd
```
Firewall configuration
======================
```
# /etc/pf.conf
table persist
iblock_services="{ 20 21 23 53 88 110 143 445 3306 6697 25565 }"
block in quick from label iblock
pass in quick on egress inet proto tcp to port $iblock_services \
rdr-to 127.0.0.1 port 666 label "block_$dstport"
pass in quick on egress inet6 proto tcp to port $iblock_services \
rdr-to ::1 port 666 label "block6_$dstport"
```
The label keyword allows displaying blocking statistics with pfctl -s labels
Usage
=====
Upon connection on the inetd port, iblock will run pfctl to add the
IP to a PF table that you can block.
Maintainer
The OpenBSD ports mailing-list
Categories
Files
- /usr/local/sbin/iblock
- /usr/local/share/doc/pkg-readmes/iblock
- @newgroup _iblock:884
- @newuser _iblock:884:884::iblock inetd user:/nonexistent:/sbin/nologin