NAME
mcblockd.conf —
mcblockd configuration
file.
SYNOPSIS
DESCRIPTION
mcblockd.conf is the configuration file for
mcblockd(8).
mcblockd.conf contains multiple stanzas. Each stanza contains
attributes (name:value pairs) or sub-stanzas. Stanzas are opened with a name
and
{ and closed with a
}. Attribute notation is
name:
value;
Comments start with
# and continue to the end of the line. Empty lines
are ignored.
Syslog stanza
The Syslog stanza contains settings for syslog.
- Facility: name;
- The syslog facility. This may
be one of "user", "daemon", "auth",
"local0", "local1", "local2",
"local3", "local4", "local5",
"local6" or "local7". The default is
"daemon".
- MinimumPriority: priority;
- The lowest priority that will
be logged. This may be "debug", "info",
"notice", "warning", "error",
"critical", "alert" or "emergency". The
default is "info".
- ShowFileLocations: boolean;
- If true, mcblockd will
show file and line number information in each syslog message. This is
typically set to false, but may be set to true during
development or debugging. The default is false.
An example Syslog stanza is shown below.
Syslog {
Facility: local0;
MinimumPriority: info;
ShowFileLocations: false;
}
Server stanza
The Server stanza is composed of multiple sub-stanzas.
- PF sub-stanza
- The PF sub-stanza sets the pf
(packet filter) parameters.
- Device: path;
- The path to the pf device.
This is normally /dev/pf
- TCP sub-stanza
-
- Address: ipv4_address;
- The IPv4 address to which
we'll bind. This is normally set to the address of a private-side
interface.
- Port: port_number;
- The port to which we'll
bind.
- Auth sub-stanza
- mcblockd(8)
uses libDwmAuth for authentication of clients. Three files are required: a
private key file, a public key file and a file containing the public keys
of clients that will be allowed to access
mcblockd(8).
- PrivKeyFile: path;
- The path to the file
containing the private half of a 2048-bit RSA key pair used by
mcblockd(8) when authenticating itself to a client. This file,
and a corresponding public key file with a .pub suffix, must be
created with
dwmauth(1).
- AuthorizedKeysFile: path;
- The path to the file
containing the public halves of 2048-bit RSA key pairs (one per line)
of clients which are allowed access to
mcblockd(8). These
keys must have been created with
dwmauth(1).
- DwmRDAP sub-stanza
- mcblockd(8)
uses dwmrdapd(8) to
obtain prefixes and country codes for IP addresses. The connection to
dwmrdapd(8) must be
configured properly in order for
mcblockd(8) to be used
effectively.
- PrivKeyFile: path;
- The path to a file
containing the private half of a 2048-bit RSA key pair that will be
used when authenticating to
dwmrdapd(8). The
corresponding public half of the key must reside in a file with the
same name but .pub appended. Normally this file is the same as
that configured in the PrivKeyFile attribute of the Auth
sub-stanza.
- KnownServices: path;
- The path to a file
containing dwmrdapd's public key.
mcblockd(8) uses
this to authenticate
dwmrdapd(8).
- Server: hostname;
- The host where
dwprdapd(8) is
running.
- DatabaseDirectory: path;
- The directory where
mcblockd(8) will store
its databases. This must be the same directory where you keep your pf
table files for pf rules, and is hence usually etc.
An example Server stanza is shown below.
Server {
PF { Device: "/dev/pf"; }
TCP { Address: 10.1.1.1; Port: 1001; }
Auth {
PrivKeyFile: "/usr/local/etc/mcblockd/id_rsa";
AuthorizedKeysFile: "/usr/local/etc/mcblockd/authorized_keys";
}
DwmRDAP {
PrivKeyFile: "/usr/local/etc/mcblockd/id_rsa";
KnownServices: "/usr/local/etc/mcblockd/known_services";
Server: "gw1.example.com";
}
DatabaseDirectory: "/etc";
}
AddRules
The AddRules stanza contains rules for adding to the prefix database, on a
per-table basis. Each pf table has its own sub-stanza within the AddRules
stanza, with the sub-stanza named the same as the pf table. Within a table
sub-stanza are rule sub-stanzas containing rules that are matched in
alphabetical order when mcblockd is adding a prefix to the database.
The matching is done against the country code of origin of the IP address, which
is specified in a rule with a regular expression.
Within a rule are the following attributes:
- countries: regular_expression;
- A regular expression of
country codes to match against the origin of an IP address we'd like to
add to the database for the pf table.
- widestMask: netmask_length;
- The maximum netmask length to
apply when adding an IP to the database.
dwmrdapd(8) may return a
very wide mask for a given IP address, and you may wish to constrain the
width to say a /24 instead of adding a huge swath of IP addresses.
- days: days;
- The number of days to keep the
new prefix active in the database (and hence the pf table).
- logThresh: hit_count;
- This is used by
mcblockd(8) when
responding to a 'logHit' request (say from
mcblocklog(1) ).
mcblockd(8) will not
insert the prefix into the database until this threshold is exceeded
during a period specified by logDays.
- logDays: days;
- This is used by
mcblockd(8) when
responding to a 'logHit' request (say from
mcblocklog(1) ).
mcblockd(8) will not
insert the prefix into the database until the threshold (
logThresh) is exceeded during this period, in days.
An example AddRules stanza is shown below. We have two rulesets (corresponding
to two pf tables), ssh_losers and www_losers.
AddRules {
ssh_losers {
Rule1 { countries: "CA|UM|US|VI";
widestMask: 24; days: 30;
logThresh: 5; logDays: 7;
}
Rule2 { countries: ".*";
widestMask: 10; days: 180;
logThresh: 1; logDays: 1;
}
}
www_losers {
Rule1 { countries: "CA|GB|MX|UM|US|VI";
widestMask: 24; days: 30;
}
Rule2 { countries: "AF|AM|AR|AZ|BA|BG|BH|BO|BR|BZ|CN|CO|CL|HK|HR|"
"IQ|IR|KG|KH|KR|KZ|LR|LT|LV|MD|PE|PK|PS|RO|RS|"
"RU|SA|SI|SK|SY|TR|UA|UZ|VN";
widestMask: 10; days: 90;
}
Rule3 { countries: ".*";
widestMask: 10; days: 30;
}
}
}
SEE ALSO
mcblocklog(8),
mcblockc(1),
dwmauth(1),
dwmrdapd(8),
dwmrdapd.conf(5)
COPYRIGHT
Copyright (c) 2017 Daniel W. McRobb
dwm@mcplex.net