manpagez: man pages & more
man afctl(8)
Home | html | info | man
afctl(8)                  BSD System Manager's Manual                 afctl(8)


NAME

     afctl -- automatic host blocking


SYNOPSIS

     afctl [-v debug_level] [-a ip_address -t ttl] [-w ip_address]
           [-r ip_address] [-x ip_address] [-c -i interval] [-e] [-d] [-f]


DESCRIPTION

     afctl is a tool for temporarily blocking a given ipv4 or ipv6 address
     using the built-in firewall.  All blocking requests have a time to live;
     they are unblocked when it expires.  afctl also maintins a whitelist of
     addresses that it will not block. All block requests are checked against
     this list before being added to the blacklist. All the firewall rules
     managed by afctl are grouped into a rule set to allow for bulk
     enabling/disabling via -e & -d. The default rule set is 17.  afctl also
     accepts address ranges in CDIR notation, for entry into the whitelist or
     the blacklist.  If invoked with no flags, afctl loops through the black-
     list and removes addresses that have exceded their time to live.

     -v -debug_level
              Verbosity, ascenting numbers are more verbose. level 0 is
              default level 1 is basic progress.

     -a -ip_address
              Add address to the blacklist. ip_address can be ipv4 or ipv6 in
              CDIR notation. No DNS names allowed.  An optional -t parameter
              allows the specification of the time in minutes that the address
              will remain blocked.

     -r -ip_address
              Remove address from the blacklist. It will also be removed from
              the firewall rules.

     -w -ip_address
              Add address to the whitelist. ip_address can be ipv4 or ipv6 in
              CDIR notation. No DNS names allowed.

     -x -ip_address
              Remove an address from the whitelist. ip_address can be ipv4 or
              ipv6 in CDIR notation. No DNS names allowed.

     -c -i interval
              Self configure. The afctl tool will query the system configura-
              tion and determine the addresses that need to be whitelisted
              (routers, local interfaces, nameservers).  It will also modify
              its launchd plist to invoke the tool every interval to remove
              old entries from the blacklist. If -i interval is not specified,
              then a default value of 15 minutes will be used.

     -d       Disables all firewall rules managed by afctl using a rule set
              (see man page for ipfw ). Currently ipfw only ( ip6fw does not
              support rule sets).

     -e       Enables the rules disabled by -d (above)

     -f       Forces afctl into a running state (sets the proper key in
              af.plist and writes out af_state )


EXAMPLE

     To set up the whitelist and choose an interval for the blacklist entry
     aging (as root)

           /usr/libexec/afctl -c -i 10

     To add 69.23.0.45 to the blacklist for at least 35 minutes

           /usr/libexec/afctl -a 69.23.0.45 -t 35

     To add the address 17.254.3.183 to the whitelist so it will never be
     blocked by afctl

           /usr/libexec/afctl -w 17.254.3.183

     To make sure that the blacklist is preserved across reboots be sure to
     edit the startup_behavior key in the af.plist config file.


FILES

     /usr/libexec/afctl                            The exectuable
     /etc/af.plist                                 The plist formatted config
                                                   file
     /System/Library/LaunchDaemons/com.apple.afctl.plist
                                                   The launchd plist file for
                                                   afctl
     /var/run/af_state                             A state file telling afctl
                                                   what to do when it
                                                   launches.
     /var/db/af/whitelist                          The file used to store the
                                                   whitelist
     /var/db/af/blacklist                          The file used to store the
                                                   list of blocked addresses


SEE ALSO

     af.plist(5), ipfw(8), ip6fw(8)

Darwin                          April 15, 2010                          Darwin

Mac OS X 10.6Server - Generated Thu Apr 15 07:12:56 CDT 2010
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.