afctl(8) BSD System Manager's Manual afctl(8)
NAME
afctl -- automatic host blocking
SYNOPSIS
afctl [-v debug_level] [-a ip_address -t ttl] [-w ip_address]
[-r ip_address] [-x ip_address] [-c -i interval] [-e] [-d] [-f]
DESCRIPTION
afctl is a tool for temporarily blocking a given ipv4 or ipv6 address
using the built-in firewall. All blocking requests have a time to live;
they are unblocked when it expires. afctl also maintins a whitelist of
addresses that it will not block. All block requests are checked against
this list before being added to the blacklist. All the firewall rules
managed by afctl are grouped into a rule set to allow for bulk
enabling/disabling via -e & -d. The default rule set is 17. afctl also
accepts address ranges in CDIR notation, for entry into the whitelist or
the blacklist. If invoked with no flags, afctl loops through the black-
list and removes addresses that have exceded their time to live.
-v -debug_level
Verbosity, ascenting numbers are more verbose. level 0 is
default level 1 is basic progress.
-a -ip_address
Add address to the blacklist. ip_address can be ipv4 or ipv6 in
CDIR notation. No DNS names allowed. An optional -t parameter
allows the specification of the time in minutes that the address
will remain blocked.
-r -ip_address
Remove address from the blacklist. It will also be removed from
the firewall rules.
-w -ip_address
Add address to the whitelist. ip_address can be ipv4 or ipv6 in
CDIR notation. No DNS names allowed.
-x -ip_address
Remove an address from the whitelist. ip_address can be ipv4 or
ipv6 in CDIR notation. No DNS names allowed.
-c -i interval
Self configure. The afctl tool will query the system configura-
tion and determine the addresses that need to be whitelisted
(routers, local interfaces, nameservers). It will also modify
its launchd plist to invoke the tool every interval to remove
old entries from the blacklist. If -i interval is not specified,
then a default value of 15 minutes will be used.
-d Disables all firewall rules managed by afctl using a rule set
(see man page for ipfw ). Currently ipfw only ( ip6fw does not
support rule sets).
-e Enables the rules disabled by -d (above)
-f Forces afctl into a running state (sets the proper key in
af.plist and writes out af_state )
EXAMPLE
To set up the whitelist and choose an interval for the blacklist entry
aging (as root)
/usr/libexec/afctl -c -i 10
To add 69.23.0.45 to the blacklist for at least 35 minutes
/usr/libexec/afctl -a 69.23.0.45 -t 35
To add the address 17.254.3.183 to the whitelist so it will never be
blocked by afctl
/usr/libexec/afctl -w 17.254.3.183
To make sure that the blacklist is preserved across reboots be sure to
edit the startup_behavior key in the af.plist config file.
FILES
/usr/libexec/afctl The exectuable
/etc/af.plist The plist formatted config
file
/System/Library/LaunchDaemons/com.apple.afctl.plist
The launchd plist file for
afctl
/var/run/af_state A state file telling afctl
what to do when it
launches.
/var/db/af/whitelist The file used to store the
whitelist
/var/db/af/blacklist The file used to store the
list of blocked addresses
SEE ALSO
af.plist(5), ipfw(8), ip6fw(8)
Darwin April 15, 2010 Darwin
Mac OS X 10.6Server - Generated Thu Apr 15 07:12:56 CDT 2010