afctl(8) BSD System Manager's Manual afctl(8)
NAME
afctl -- automatic host blocking
SYNOPSIS
afctl [-v debug_level] [-a ip_address -t ttl] [-w ip_address] [-r ip_address] [-x ip_address] [-c -i interval] [-e] [-d] [-f]
DESCRIPTION
afctl is a tool for temporarily blocking a given ipv4 or ipv6 address using the built-in firewall. All blocking requests have a time to live; they are unblocked when it expires. afctl also maintins a whitelist of addresses that it will not block. All block requests are checked against this list before being added to the blacklist. All the firewall rules managed by afctl are grouped into a rule set to allow for bulk enabling/disabling via -e & -d. The default rule set is 17. afctl also accepts address ranges in CDIR notation, for entry into the whitelist or the blacklist. If invoked with no flags, afctl loops through the black- list and removes addresses that have exceded their time to live. -v -debug_level Verbosity, ascenting numbers are more verbose. level 0 is default level 1 is basic progress. -a -ip_address Add address to the blacklist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed. An optional -t parameter allows the specification of the time in minutes that the address will remain blocked. -r -ip_address Remove address from the blacklist. It will also be removed from the firewall rules. -w -ip_address Add address to the whitelist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed. -x -ip_address Remove an address from the whitelist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed. -c -i interval Self configure. The afctl tool will query the system configura- tion and determine the addresses that need to be whitelisted (routers, local interfaces, nameservers). It will also modify its launchd plist to invoke the tool every interval to remove old entries from the blacklist. If -i interval is not specified, then a default value of 15 minutes will be used. -d Disables all firewall rules managed by afctl using a rule set (see man page for ipfw ). Currently ipfw only ( ip6fw does not support rule sets). -e Enables the rules disabled by -d (above) -f Forces afctl into a running state (sets the proper key in af.plist and writes out af_state )
EXAMPLE
To set up the whitelist and choose an interval for the blacklist entry aging (as root) /usr/libexec/afctl -c -i 10 To add 69.23.0.45 to the blacklist for at least 35 minutes /usr/libexec/afctl -a 69.23.0.45 -t 35 To add the address 17.254.3.183 to the whitelist so it will never be blocked by afctl /usr/libexec/afctl -w 17.254.3.183 To make sure that the blacklist is preserved across reboots be sure to edit the startup_behavior key in the af.plist config file.
FILES
/usr/libexec/afctl The exectuable /etc/af.plist The plist formatted config file /System/Library/LaunchDaemons/com.apple.afctl.plist The launchd plist file for afctl /var/run/af_state A state file telling afctl what to do when it launches. /var/db/af/whitelist The file used to store the whitelist /var/db/af/blacklist The file used to store the list of blocked addresses
SEE ALSO
af.plist(5), ipfw(8), ip6fw(8) Darwin April 15, 2010 Darwin
Mac OS X 10.6Server - Generated Thu Apr 15 07:12:56 CDT 2010