mcblockd.conf(5) FreeBSD File Formats Manual mcblockd.conf(5)

NAME

mcblockd.confmcblockd configuration file.

SYNOPSIS

mcblockd.conf

DESCRIPTION

mcblockd.conf is the configuration file for mcblockd(8).

FILE FORMAT

mcblockd.conf contains multiple stanzas. Each stanza contains attributes (name:value pairs) or sub-stanzas. Stanzas are opened with a name and { and closed with a }. Attribute notation is name: value;
Comments start with # and continue to the end of the line. Empty lines are ignored.

Syslog stanza

The Syslog stanza contains settings for syslog.
Facility: name;
The syslog facility. This may be one of "user", "daemon", "auth", "local0", "local1", "local2", "local3", "local4", "local5", "local6" or "local7". The default is "daemon".
MinimumPriority: priority;
The lowest priority that will be logged. This may be "debug", "info", "notice", "warning", "error", "critical", "alert" or "emergency". The default is "info".
ShowFileLocations: boolean;
If true, mcblockd will show file and line number information in each syslog message. This is typically set to false, but may be set to true during development or debugging. The default is false.
An example Syslog stanza is shown below.
Syslog { 
  Facility: local0; 
  MinimumPriority: info; 
  ShowFileLocations: false; 
}

Server stanza

The Server stanza is composed of multiple sub-stanzas.
PF sub-stanza
The PF sub-stanza sets the pf (packet filter) parameters.
Device: path;
The path to the pf device. This is normally /dev/pf
TCP sub-stanza
Address: ipv4_address;
The IPv4 address to which we'll bind. This is normally set to the address of a private-side interface.
Port: port_number;
The port to which we'll bind.
Auth sub-stanza
mcblockd(8) uses libDwmAuth for authentication of clients. Three files are required: a private key file, a public key file and a file containing the public keys of clients that will be allowed to access mcblockd(8).
PrivKeyFile: path;
The path to the file containing the private half of a 2048-bit RSA key pair used by mcblockd(8) when authenticating itself to a client. This file, and a corresponding public key file with a .pub suffix, must be created with dwmauth(1).
AuthorizedKeysFile: path;
The path to the file containing the public halves of 2048-bit RSA key pairs (one per line) of clients which are allowed access to mcblockd(8). These keys must have been created with dwmauth(1).
DwmRDAP sub-stanza
mcblockd(8) uses dwmrdapd(8) to obtain prefixes and country codes for IP addresses. The connection to dwmrdapd(8) must be configured properly in order for mcblockd(8) to be used effectively.
PrivKeyFile: path;
The path to a file containing the private half of a 2048-bit RSA key pair that will be used when authenticating to dwmrdapd(8). The corresponding public half of the key must reside in a file with the same name but .pub appended. Normally this file is the same as that configured in the PrivKeyFile attribute of the Auth sub-stanza.
KnownServices: path;
The path to a file containing dwmrdapd's public key. mcblockd(8) uses this to authenticate dwmrdapd(8).
Server: hostname;
The host where dwprdapd(8) is running.
DatabaseDirectory: path;
The directory where mcblockd(8) will store its databases. This must be the same directory where you keep your pf table files for pf rules, and is hence usually etc.
An example Server stanza is shown below.
Server { 
  PF { Device: "/dev/pf"; } 
  TCP { Address: 10.1.1.1; Port: 1001; } 
  Auth { 
    PrivKeyFile: "/usr/local/etc/mcblockd/id_rsa"; 
    AuthorizedKeysFile: "/usr/local/etc/mcblockd/authorized_keys"; 
  } 
  DwmRDAP { 
    PrivKeyFile: "/usr/local/etc/mcblockd/id_rsa"; 
    KnownServices: "/usr/local/etc/mcblockd/known_services"; 
    Server: "gw1.example.com"; 
  } 
  DatabaseDirectory: "/etc"; 
}

AddRules

The AddRules stanza contains rules for adding to the prefix database, on a per-table basis. Each pf table has its own sub-stanza within the AddRules stanza, with the sub-stanza named the same as the pf table. Within a table sub-stanza are rule sub-stanzas containing rules that are matched in alphabetical order when mcblockd is adding a prefix to the database.
The matching is done against the country code of origin of the IP address, which is specified in a rule with a regular expression.
Within a rule are the following attributes:
countries: regular_expression;
A regular expression of country codes to match against the origin of an IP address we'd like to add to the database for the pf table.
widestMask: netmask_length;
The maximum netmask length to apply when adding an IP to the database. dwmrdapd(8) may return a very wide mask for a given IP address, and you may wish to constrain the width to say a /24 instead of adding a huge swath of IP addresses.
days: days;
The number of days to keep the new prefix active in the database (and hence the pf table).
logThresh: hit_count;
This is used by mcblockd(8) when responding to a 'logHit' request (say from mcblocklog(1) ). mcblockd(8) will not insert the prefix into the database until this threshold is exceeded during a period specified by logDays.
logDays: days;
This is used by mcblockd(8) when responding to a 'logHit' request (say from mcblocklog(1) ). mcblockd(8) will not insert the prefix into the database until the threshold ( logThresh) is exceeded during this period, in days.
 
An example AddRules stanza is shown below. We have two rulesets (corresponding to two pf tables), ssh_losers and www_losers.
AddRules { 
  ssh_losers { 
    Rule1 { countries: "CA|UM|US|VI"; 
            widestMask: 24;     days: 30; 
            logThresh:   5;  logDays: 7; 
    } 
    Rule2 { countries: ".*"; 
            widestMask: 10;     days: 180; 
            logThresh:   1;  logDays: 1; 
    } 
  } 
  www_losers { 
    Rule1 { countries: "CA|GB|MX|UM|US|VI"; 
            widestMask: 24;     days: 30; 
    } 
    Rule2 { countries: "AF|AM|AR|AZ|BA|BG|BH|BO|BR|BZ|CN|CO|CL|HK|HR|" 
                       "IQ|IR|KG|KH|KR|KZ|LR|LT|LV|MD|PE|PK|PS|RO|RS|" 
                       "RU|SA|SI|SK|SY|TR|UA|UZ|VN"; 
            widestMask: 10;     days: 90; 
    } 
    Rule3 { countries: ".*"; 
            widestMask: 10;     days: 30; 
    } 
  } 
}

SEE ALSO

mcblocklog(8), mcblockc(1), dwmauth(1), dwmrdapd(8), dwmrdapd.conf(5)

COPYRIGHT

Copyright (c) 2017 Daniel W. McRobb dwm@mcplex.net
April 25, 2017 FreeBSD 11.1-BETA1