Setting up NetBSD Blacklistd


Much better IN THEORY than fail2ban and sshguard, as the daemon talks to it directly

Warning - you need to do that BEFORE your server goes to production, as it required two additional kernel modules which you cannot load in securelevel 1


You need NPF to be up and running already, but there’s specifics - you need to tweak NPF for Blacklistd accordingly

ls -lF /libexec/blacklistd-helper
cp -pi /usr/share/examples/blacklist/npf.conf /etc/
vi /etc/npf.conf

set bpf.jit off;
#set bpf.jit on;
alg "icmp"

group "external" on wm0 {
        ruleset "blacklistd" 
        pass final all

group default {
        pass final all

block in final from <blacklist>


Also logging apparently needs to be enabled

ifconfig npflog0 create
cat /etc/ifconfig.npflog0
echo create > /etc/ifconfig.npflog0


see what’s enabled so far

modstat | egrep "npf|jit"

got npf ones but you need to add those

modload bpfjit
modload sljit

cat >> /etc/modules.conf << EOF

cat /etc/rc.conf
echo modules=yes >> /etc/rc.conf

Other requirements

sysctl -a | grep net.bpf
echo $((1048576 * 4))
sysctl -w net.bpf.jit=1
sysctl -w net.bpf.maxbufsize=4194304
echo net.bpf.jit=1 >> /etc/sysctl.conf
echo net.bpf.maxbufsize=4194304 >> /etc/sysctl.conf
cat /etc/sysctl.conf

Overall Setup

cp -pi /usr/share/examples/blacklist/blacklistd.conf /etc/blacklistd.conf.dist
cp -pi /usr/share/examples/blacklist/blacklistd.conf /etc/blacklistd.conf
vi /etc/blacklistd.conf

# adr/mask:port type    proto   owner           name    nfail   disable

wm0:XXX         *       *       *               *       3       6h
wm0:25          *       *       postfix         *       3       6h
wm0:465         *       *       postfix         *       3       6h 
wm0:587         *       *       postfix         *       3       6h 
wm0:53          *       *       _nsd            *       3       12h
wm0:*           *       *       *               *       3       60 


chmod 400 /etc/npf.conf /etc/npf_blacklist /etc/blacklistd.conf

ls -lF /dev/bpf /dev/npf

ls -lF /etc/npf_blacklist
touch /etc/npf_blacklist

Ready to go

echo npf=yes >> /etc/rc.conf
echo npfd=yes >> /etc/rc.conf
echo blacklistd=yes >> /etc/rc.conf
echo blacklistd_flags=-r >> /etc/rc.conf

#npfctl flush
#npfctl reload
service npfd restart
service npf reload
#service npf restart

service blacklistd restart

not sure postfix needs to be restarted entirely

postfix stop    
postfix start


postfix status

npfctl show

ls -lF /var/db/blacklistd.db
ls -lF /var/run/blacklistd.sock
blacklistctl dump -a
blacklistctl dump -ab
#-r -w

cat /etc/npf_blacklist

gives e.g.

        address/ma:port id      nfail   last access 4       3/3     2019/11/17 21:31:57         1/3     2019/11/17 20:15:45


Blacklistd by Christos Zoulas

blacklistd – block and release ports on demand to avoid DoS abuse

blacklistd.conf – configuration file format for blacklistd

blacklistctl – display and change the state of blacklistd

staffan / unblacklist


blacklistd support for dovecot

Loading NetBSD kernel modules


How to use blacklistd(8) with NPF as a fail2ban replacement

Blacklistd: A new approach to blocking attackers

FreeBSD and blacklistd


Feature suggestion: hook support for specific events?

new signature: postfix smtp auth

[SSHGuard-users] New Attack Signature