Diff

Differences From Artifact [abf8dcfcd1]:

To Artifact [9f4a5474fc]:


11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
I. NOTES
	*NOTE* This document may very will be inaccurate, if at all possible
	you should refer to
		http://wiki.duskglow.com/index.php/Packetbl
	for authoritative information.

II. PREREQUISITES
	1. Dot.conf (required)
		Dot.conf is used to handle the configuration data and is
		required for PacketBL to operate.  It can be obtained from:
			http://www.azzit.de/dotconf/
		Dot.conf uses "Apache-style" configuration files so logical
		hierarchal configuration files can be used.

	2. iptables (required)
		Iptables' library "ipq" (IP Queuing library) is required, it
		provides the necessary hooks to allow PacketBL to accept
		packets from the QUEUE target and process them.

	3. FireDNS (optional)







|
<
<
<
<
<







11
12
13
14
15
16
17
18





19
20
21
22
23
24
25
I. NOTES
	*NOTE* This document may very will be inaccurate, if at all possible
	you should refer to
		http://wiki.duskglow.com/index.php/Packetbl
	for authoritative information.

II. PREREQUISITES
	1. libconfig (required)






	2. iptables (required)
		Iptables' library "ipq" (IP Queuing library) is required, it
		provides the necessary hooks to allow PacketBL to accept
		packets from the QUEUE target and process them.

	3. FireDNS (optional)
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
		d. --with-stats-socket=/path/to/socket
			This option allows one to specify the path to the UNIX
			domain socket that is used for communications between
			the PacketBL daemon and the "packetbl_getstat" process.
			Default is /tmp/.packetbl.sock.

IV. CONFIGURATION
	1. The configuration file (packetbl.conf) is in "Apache-style" format.
	   An example configuration file might look something like this:
		<host>
			BlackListBL     dnsbl.sorbs.net
			BlackListBL     relay.ordb.org
			WhiteList       127.0.0.0/8
		</host>
		FallthroughAccept      yes
		AllowNonPort25         no
		AllowNonSyn            no
		DryRun                 no
		CacheSize              8192
		CacheTTL               3600
		LogFacility            daemon
		Quiet                  no

	2. Explanation of configuration elements:
		a. <host>
			This element begins the HOST section of the
			configuration.  You must define your Blacklists DNS
			RBLs and Whitelist addresses in the HOST section.
		b. BlackListBL dnsbl.sorbs.net
			The "BlackListBL" element defines a DNS RBL which is
			checked to determine whether or not packets are
			dropped.  This particular example configures
			"dnsbl.sorbs.net" as an RBL to use.
		c. WhiteList 127.0.0.0/8
			The "WhiteList" element defines a range in (CIDR
			format) of IP address to always accept and never check
			the configured "BlackListBL" elements.  You should
			usually leave at least "127.0.0.0/8" there for safety.
		d. FallthroughAccept yes
			The "FallthroughAccept" element tells PacketBL how to
			handle packets that are neither listed in a configured
			DNS RBL ("BlackListBL" element) nor match a configured
			whitelist ("WhiteList" element).  Usually you should
			leave this as "yes" (the default).
		e. AllowNonPort25 no
			The "AllowNonPort25" element controls whether or not
			PacketBL will examine packets that are passed it that
			do not have a "Destination Port" of 25 (SMTP).  This
			is probably not something you want, leaving it "no"
			is safe.  Enabling this and mis-configuring your
			iptables configuration could cause a LOT of load on the
			configured DNS RBLs and may cause you to lose access to
			them!
		f. AllowNonSyn no
			The "AllowNonSyn" element controls whether or not
			PacketBL will examine packets that are passed it that
			do not have the SYN flag set (i.e, incoming TCP
			connections). This is probably not something you want,
			leaving it "no" is safe.  Enabling this and
			mis-configuring your iptables configuration could cause
			a LOT of load on the configured DNS RBLs and may cause
			you to lose access to them!
		g. DryRun no
			The "DryRun" element controls whether or not PacketBL
			actually rejects (DROPs) the packets that match a
			configured DNS RBL.  Setting this to "yes" will cause
			all packets to be ACCEPTed.  The default is "no"
			which causes normal operation.
		h. CacheSize 8192
			The "CacheSize" element determines the size of the
			cache (in entries, not bytes or bits) if cache has
			been enabled at compile time.  A setting of "0" causes
			caching to be disabled.  The largest reasonable value
			is currently 21675, anything above that will be wasted.
		i. CacheTTL 3600
			The "CacheTTL" element determines the length of time
			(in seconds) that cached entries are considered valid.
			Once an entry is looked up through a configured DNS RBL
			it will not need to be looked up again until after its
			"Time To Live" has been exceeded.
		j. LogFacility daemon
			The "LogFacility" element controls which syslog facility
			PacketBL sends its information to.  The default is
			probably fine for most people.
		k. Quiet no
			The "Quiet" element controls whether PacketBL writes
			a message to syslog() every time it accepts or rejects
			a packet.  The safe choice (and default) is "no"
			meaning that PacketBL writes a message to syslog about
			every packet.

V. COMMAND LINE ARGUMENTS
	1. PacketBL supports a minimal number of command line arguments, since
	   most configuration should be done in the configuration file (see
	   previous section).  The following is a complete list of supported
	   command line arguments:
		a. "-q"







<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<







53
54
55
56
57
58
59















60



































































61
62
63
64
65
66
67
		d. --with-stats-socket=/path/to/socket
			This option allows one to specify the path to the UNIX
			domain socket that is used for communications between
			the PacketBL daemon and the "packetbl_getstat" process.
			Default is /tmp/.packetbl.sock.

IV. CONFIGURATION















	To be replaced.  A sample config file is provided.




































































V. COMMAND LINE ARGUMENTS
	1. PacketBL supports a minimal number of command line arguments, since
	   most configuration should be done in the configuration file (see
	   previous section).  The following is a complete list of supported
	   command line arguments:
		a. "-q"