Unfortunately, there were a few bugs in the binaries and scripts related to blacklistd in the FreeBSD 11.0-RELEASE. All known problems in the 11.0-RELEASE have all been addressed in the 11.1-RELEASE.
A tarball of the fixed binaries for the 11.0-RELEASE (for amd64 machines) is available here: http://people.freebsd.org/~lidl/fbsd11_blacklist_updates.tar.xz
tar tf fbsd11_blacklist_updates.tar.xz etc/periodic/security/520.pfdenied usr/include/blacklist.h usr/lib/libblacklist.a usr/lib/libblacklist_p.a usr/lib/libblacklist.so.0 usr/lib/libblacklist.so usr/lib/debug/usr/lib/libblacklist.so.0.debug usr/lib/debug/usr/libexec/ftpd.debug usr/lib/debug/usr/sbin/blacklistctl.debug usr/lib/debug/usr/sbin/blacklistd.debug usr/lib/debug/usr/sbin/sshd.debug usr/libexec/blacklistd-helper usr/libexec/ftpd usr/sbin/blacklistctl usr/sbin/blacklistd usr/sbin/sshd usr/share/man/man3/libblacklist.3.gz usr/share/man/man3/blacklist_open.3.gz usr/share/man/man3/blacklist_close.3.gz usr/share/man/man3/blacklist.3.gz usr/share/man/man3/blacklist_r.3.gz usr/share/man/man3/blacklist_sa.3.gz usr/share/man/man3/blacklist_sa_r.3.gz usr/share/man/man5/ftpchroot.5.gz usr/share/man/man5/sshd_config.5.gz usr/share/man/man8/blacklistctl.8.gz usr/share/man/man8/blacklistd.8.gz usr/share/man/man8/ftpd.8.gz usr/share/man/man8/sshd.8.gz
blacklistctl dump -b address/ma:port id nfail last access 190.29.16.2/32:25 OK 3/3 2016/09/28 02:31:01 1.55.98.186/32:22 OK 4/3 2016/09/27 23:34:51 37.49.225.80/32:587 OK 3/3 2016/09/28 01:17:58 187.51.48.114/32:25 OK 3/3 2016/09/28 00:12:00 46.148.18.162/32:22 OK 4/3 2016/09/28 11:26:20 123.31.41.196/32:22 OK 4/3 2016/09/28 06:43:58 64.71.77.149/32:587 OK 3/3 2016/09/28 10:40:57 94.183.4.136/32:25 OK 3/3 2016/09/28 14:28:57 27.72.48.246/32:22 OK 4/3 2016/09/28 02:44:29 81.114.251.53/32:25 OK 3/3 2016/09/28 04:47:22 189.45.199.50/32:25 OK 3/3 2016/09/28 11:23:50 222.211.90.56/32:25 OK 3/3 2016/09/28 17:38:54 171.251.76.71/32:22 OK 6/3 2016/09/28 02:44:56 164.132.4.151/32:25 OK 3/3 2016/09/28 08:55:14 82.213.17.225/32:22 OK 6/3 2016/09/28 16:26:39 61.178.63.245/32:25 OK 3/3 2016/09/28 18:51:04 14.167.114.35/32:22 OK 4/3 2016/09/28 09:45:36 81.174.227.226/32:25 OK 3/3 2016/09/28 15:01:03 58.231.17.50/32:25 OK 3/3 2016/09/28 18:15:02 121.41.88.139/32:25 OK 3/3 2016/09/28 06:11:16 89.101.233.30/32:25 OK 3/3 2016/09/28 14:44:36 208.187.126.220/32:25 OK 3/3 2016/09/28 11:05:11 120.25.98.3/32:25 OK 3/3 2016/09/28 00:39:12 218.28.103.233/32:25 OK 3/3 2016/09/28 07:48:26 108.188.180.250/32:25 OK 3/3 2016/09/28 10:00:41 185.53.244.244/32:25 OK 3/3 2016/09/28 19:26:42 189.208.27.79/32:25 OK 3/3 2016/09/28 16:33:46 185.93.185.239/32:22 OK 4/3 2016/09/28 04:12:53 91.224.160.131/32:22 OK 4/3 2016/09/28 17:04:10 64.71.77.149/32:25 OK 3/3 2016/09/28 10:42:26 190.147.197.5/32:25 OK 3/3 2016/09/27 22:23:42 118.71.251.67/32:25 OK 3/3 2016/09/28 03:11:22 46.32.239.160/32:25 OK 3/3 2016/09/28 18:57:55
blacklistctl dump address/ma:port id nfail last access 186.221.59.120/32:25 1/3 2016/09/27 22:09:23 95.160.88.19/32:25 1/3 2016/09/28 04:26:03 79.111.95.237/32:25 1/3 2016/09/28 07:33:25 88.156.53.33/32:25 1/3 2016/09/28 12:55:31 162.216.220.52/32:25 1/3 2016/09/28 16:57:07 109.241.234.2/32:25 1/3 2016/09/28 17:57:48 24.162.213.124/32:25 1/3 2016/09/28 13:07:38 209.216.166.92/32:25 1/3 2016/09/28 15:23:06 93.105.114.211/32:25 1/3 2016/09/28 19:22:33 186.34.198.169/32:25 1/3 2016/09/28 21:23:13 179.216.102.59/32:25 1/3 2016/09/28 05:47:57 70.45.135.242/32:25 1/3 2016/09/28 09:27:17 68.148.127.117/32:25 1/3 2016/09/28 10:26:50 177.65.204.238/32:25 1/3 2016/09/28 16:26:03 88.156.73.176/32:25 1/3 2016/09/28 05:43:31 187.181.157.192/32:25 1/3 2016/09/28 17:07:23 186.35.173.3/32:25 1/3 2016/09/28 17:34:48 82.139.9.168/32:25 1/3 2016/09/27 21:53:25 179.208.153.242/32:25 1/3 2016/09/28 05:22:01 154.0.14.134/32:25 2/3 2016/09/28 09:48:07 5.238.115.168/32:25 2/3 2016/09/28 12:16:50 78.88.45.27/32:25 1/3 2016/09/28 15:06:24 77.94.97.34/32:25 1/3 2016/09/28 20:14:21 109.241.214.122/32:25 1/3 2016/09/28 20:25:51 97.76.110.52/32:25 1/3 2016/09/28 04:47:16 203.153.25.50/32:25 1/3 2016/09/28 06:33:09 186.36.148.189/32:25 1/3 2016/09/28 08:12:08 187.66.39.75/32:25 1/3 2016/09/28 13:53:39 5.143.146.10/32:25 1/3 2016/09/27 22:46:41 88.250.28.98/32:25 1/3 2016/09/28 04:20:53 93.105.233.1/32:25 1/3 2016/09/28 07:43:17 125.119.106.50/32:25 1/3 2016/09/28 16:52:08 197.97.154.86/32:22 2/3 2016/09/28 19:55:38 199.200.127.67/32:25 1/3 2016/09/28 02:52:37 12.8.84.249/32:25 1/3 2016/09/28 03:18:47 109.241.141.150/32:25 1/3 2016/09/28 03:30:24 178.235.19.81/32:25 1/3 2016/09/28 05:19:15 78.88.36.151/32:25 1/3 2016/09/28 06:45:01 67.221.102.171/32:25 1/3 2016/09/28 10:39:25 78.88.35.216/32:25 1/3 2016/09/28 13:43:34 124.108.19.182/32:25 1/3 2016/09/28 15:39:03 187.252.149.101/32:25 1/3 2016/09/28 18:32:10 66.239.62.34/32:25 1/3 2016/09/28 20:06:56 91.243.107.104/32:25 1/3 2016/09/28 20:31:53 95.109.111.39/32:25 1/3 2016/09/28 03:18:49 189.215.133.25/32:25 1/3 2016/09/28 05:29:33 78.88.128.44/32:25 1/3 2016/09/28 12:12:18 12.8.85.41/32:25 1/3 2016/09/28 13:05:31 95.160.70.221/32:25 1/3 2016/09/28 13:07:00 216.24.72.74/32:25 1/3 2016/09/28 13:24:05 124.197.98.223/32:25 1/3 2016/09/28 13:28:44 52.174.95.241/32:25 2/3 2016/09/28 17:09:26 187.64.24.239/32:25 1/3 2016/09/28 17:18:01 93.105.243.105/32:25 1/3 2016/09/28 17:57:56 175.156.44.203/32:25 1/3 2016/09/28 18:31:38 88.156.70.104/32:25 1/3 2016/09/28 21:10:03 186.207.135.18/32:25 1/3 2016/09/28 21:41:04 186.205.236.64/32:25 1/3 2016/09/28 01:29:00 179.159.12.101/32:25 1/3 2016/09/28 02:34:13 187.5.7.252/32:25 2/3 2016/09/28 06:54:08 213.157.39.90/32:25 1/3 2016/09/28 12:03:33 76.14.180.197/32:25 1/3 2016/09/28 17:34:04 186.36.230.223/32:25 1/3 2016/09/28 21:14:46 114.34.114.126/32:25 1/3 2016/09/27 21:58:35 175.45.54.210/32:25 1/3 2016/09/28 07:20:45 115.159.195.95/32:25 1/3 2016/09/28 10:07:34 200.90.204.22/32:25 1/3 2016/09/28 11:41:27 181.72.116.35/32:25 1/3 2016/09/28 17:20:10 109.241.112.214/32:25 1/3 2016/09/28 20:03:36 74.93.89.133/32:25 1/3 2016/09/27 23:01:52 80.92.99.54/32:25 1/3 2016/09/28 01:11:42 190.209.117.65/32:25 1/3 2016/09/28 04:22:22 5.128.171.21/32:25 1/3 2016/09/28 05:18:38 190.72.101.186/32:25 2/3 2016/09/28 16:06:30 179.211.47.96/32:25 1/3 2016/09/28 11:19:50 88.156.25.104/32:25 1/3 2016/09/28 13:35:37 82.76.190.217/32:25 2/3 2016/09/28 13:40:37 137.119.201.60/32:25 1/3 2016/09/28 13:43:34 122.53.58.28/32:25 1/3 2016/09/28 14:13:16 116.212.215.86/32:25 1/3 2016/09/28 17:18:09 82.139.45.219/32:25 1/3 2016/09/28 19:06:24 95.160.84.18/32:25 1/3 2016/09/28 20:39:51 178.235.166.227/32:25 1/3 2016/09/27 22:38:50 78.88.87.169/32:25 1/3 2016/09/28 01:03:03 70.45.32.147/32:25 1/3 2016/09/28 01:11:36 31.11.217.147/32:25 1/3 2016/09/28 02:16:48 80.253.154.47/32:25 1/3 2016/09/28 02:36:36 66.182.114.124/32:25 1/3 2016/09/28 04:36:42 216.9.187.218/32:25 1/3 2016/09/28 05:55:26 109.241.244.84/32:25 1/3 2016/09/28 09:04:44 5.238.115.168/32:587 2/3 2016/09/28 12:17:20 181.73.66.6/32:25 1/3 2016/09/28 13:15:23 187.252.190.209/32:25 1/3 2016/09/28 15:42:22 178.235.214.147/32:25 1/3 2016/09/28 19:48:50 93.174.93.46/32:25 2/3 2016/09/28 20:47:43 83.216.97.90/32:25 1/3 2016/09/28 21:14:45 188.227.67.197/32:25 1/3 2016/09/27 22:04:49 192.154.154.163/32:25 1/3 2016/09/28 13:37:00 24.139.206.214/32:25 1/3 2016/09/28 13:43:34 190.54.239.36/32:25 1/3 2016/09/28 15:12:37 177.81.39.238/32:25 1/3 2016/09/28 16:06:52 70.45.85.15/32:25 1/3 2016/09/28 20:00:34 177.238.33.231/32:25 1/3 2016/09/28 20:24:57 190.123.226.124/32:25 1/3 2016/09/28 21:15:21 113.160.248.111/32:25 2/3 2016/09/27 22:38:34 179.4.51.126/32:25 1/3 2016/09/28 04:17:38 75.36.234.175/32:25 1/3 2016/09/28 04:24:03 109.241.46.189/32:25 1/3 2016/09/27 23:29:46 94.42.191.210/32:25 1/3 2016/09/27 23:45:22 178.123.221.15/32:25 1/3 2016/09/28 08:03:00 95.160.179.87/32:25 1/3 2016/09/28 10:53:48 190.232.17.210/32:25 1/3 2016/09/28 13:44:55 41.193.182.9/32:25 1/3 2016/09/28 18:45:32 137.118.103.195/32:25 1/3 2016/09/28 20:06:33 109.241.235.209/32:25 1/3 2016/09/28 12:17:27 181.72.129.125/32:25 1/3 2016/09/27 23:28:34 118.69.10.214/32:25 1/3 2016/09/27 23:44:18 109.241.46.207/32:25 1/3 2016/09/28 05:05:15 189.61.98.191/32:25 1/3 2016/09/28 05:39:28 88.156.11.156/32:25 1/3 2016/09/28 07:14:02 80.112.133.86/32:25 1/3 2016/09/28 16:35:02 37.8.218.117/32:25 1/3 2016/09/27 22:46:03 190.54.158.74/32:25 1/3 2016/09/27 23:20:58 177.238.242.75/32:25 1/3 2016/09/27 23:33:20 31.11.224.178/32:25 1/3 2016/09/28 00:11:07 82.139.16.207/32:25 1/3 2016/09/28 04:33:30 168.187.78.107/32:25 1/3 2016/09/28 05:14:33 95.155.208.178/32:25 1/3 2016/09/28 07:23:00 31.11.226.240/32:25 1/3 2016/09/28 16:00:30 104.174.199.127/32:25 1/3 2016/09/28 16:57:07 179.223.167.67/32:25 1/3 2016/09/28 17:02:52 37.8.213.26/32:25 1/3 2016/09/28 19:47:13 78.88.75.76/32:25 1/3 2016/09/28 03:18:49 78.88.235.12/32:25 1/3 2016/09/28 05:39:27 190.208.247.152/32:25 1/3 2016/09/28 05:55:16 185.81.157.22/32:25 2/3 2016/09/28 07:15:31 95.160.70.153/32:25 1/3 2016/09/27 22:22:30 128.72.209.197/32:25 1/3 2016/09/28 02:28:07 88.156.35.167/32:25 1/3 2016/09/28 09:44:10 24.244.152.26/32:25 1/3 2016/09/28 15:57:23 50.160.104.228/32:25 1/3 2016/09/28 19:16:09 160.16.196.138/32:25 1/3 2016/09/28 21:45:00 190.232.23.66/32:25 1/3 2016/09/27 23:01:49 37.8.205.37/32:25 1/3 2016/09/28 12:03:30 41.242.49.19/32:25 1/3 2016/09/28 16:57:11 113.160.248.111/32:587 2/3 2016/09/27 22:39:19 78.88.94.188/32:25 1/3 2016/09/28 15:52:53
blacklistd_enable="YES" blacklistd_flags="-r" sshd_flags="-o UseBlacklist=yes"
pf_enable="YES"
ext_if=gem0 anchor "blacklistd/*" in on $ext_if
for p in 22 25 587 do pfctl -a blacklistd/$p -sr -v 2> /dev/null done block drop in quick proto tcp fromto any port = ssh [ Evaluations: 4135 Packets: 47 Bytes: 2756 States: 0 ] [ Inserted: uid 0 pid 81869 State Creations: 0 ] block drop in quick proto tcp from to any port = smtp [ Evaluations: 4088 Packets: 130 Bytes: 6540 States: 0 ] [ Inserted: uid 0 pid 2835 State Creations: 0 ] block drop in quick proto tcp from to any port = submission [ Evaluations: 3958 Packets: 6 Bytes: 296 States: 0 ] [ Inserted: uid 0 pid 4301 State Creations: 0 ]
firewall_enable="YES" firewall_quiet="YES" firewall_type="workstation" firewall_allowservices="any" firewall_myservices="ssh smtp http https"
echo "ifpw_offset=4000" > /etc/ipfw-blacklist.rc
The ipfw system needs to have rule numbers, and the blacklistd-helper script defaults to 2000+port_number for each of the rules that it inserts.
It creates a named table (eg: port22) and then just inserts the bad actors into that table, and creates a rule like the following for ssh:
ipfw -q add 2022 drop tcp from table(port22) to any dst-port 22
The filtering rules get added as needed, and IP addresses get inserted/deleted into the tables as needed. The rules are never deleted, but it should be low-cost to check an empty table.
If you have followed the general rules of having the ultimate deny/pass rules near the end of the 64K range of rules, you'll be OK by just touching the /etc/ipfw-blacklist.rc file to turn it on. The file is sourced by the invoking shell, so if you need a different offset than 2000 for the rules, you can do something like:
echo 'ipfw_offset=4000' > /etc/ipfw-blacklist.rc