Mac OS X Server Manual Page For afctl(8)

ADC Home > Reference Library > Reference > Mac OS X > Mac OS X Man Pages

This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

This manual page is associated with Mac OS X Server. It is not available on standard Mac OS X (client) installations.

For more information about the manual page format, see the manual page for manpages(5).

afctl(8) BSD System Manager's Manual afctl(8)

NAME
afctl -- automatic host blocking

SYNOPSIS
afctl [-v debug_level] [-a ip_address -t ttl] [-w ip_address] [-r ip_address] [-x ip_address]
[-c -i interval] [-e] [-d] [-f]

DESCRIPTION
afctl is a tool for temporarily blocking a given ipv4 or ipv6 address using the built-in firewall. All
blocking requests have a time to live; they are unblocked when it expires. afctl also maintins a
whitelist of addresses that it will not block. All block requests are checked against this list before
being added to the blacklist. All the firewall rules managed by afctl are grouped into a rule set to
allow for bulk enabling/disabling via -e & -d. The default rule set is 17. afctl also accepts address
ranges in CDIR notation, for entry into the whitelist or the blacklist. If invoked with no flags,
afctl loops through the blacklist and removes addresses that have exceded their time to live.

-v -debug_level
Verbosity, ascenting numbers are more verbose. level 0 is default level 1 is basic progress.

-a -ip_address
Add address to the blacklist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names
allowed. An optional -t parameter allows the specification of the time in minutes that the
address will remain blocked.

-r -ip_address
Remove address from the blacklist. It will also be removed from the firewall rules.

-w -ip_address
Add address to the whitelist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names
allowed.

-x -ip_address
Remove an address from the whitelist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS
names allowed.

-c -i interval
Self configure. The afctl tool will query the system configuration and determine the addresses
that need to be whitelisted (routers, local interfaces, nameservers). It will also modify its
launchd plist to invoke the tool every interval to remove old entries from the blacklist. If
-i interval is not specified, then a default value of 15 minutes will be used.

-d Disables all firewall rules managed by afctl using a rule set (see man page for ipfw ). Cur-rently Currently
rently ipfw only ( ip6fw does not support rule sets).

-e Enables the rules disabled by -d (above)

-f Forces afctl into a running state (sets the proper key in af.plist and writes out af_state )

EXAMPLE
To set up the whitelist and choose an interval for the blacklist entry aging (as root)

/usr/libexec/afctl -c -i 10

To add 69.23.0.45 to the blacklist for at least 35 minutes

/usr/libexec/afctl -a 69.23.0.45 -t 35

To add the address 17.254.3.183 to the whitelist so it will never be blocked by afctl

/usr/libexec/afctl -w 17.254.3.183

To make sure that the blacklist is preserved across reboots be sure to edit the startup_behavior key in
the af.plist config file.

FILES
/usr/libexec/afctl The exectuable
/etc/af.plist The plist formatted config file
/System/Library/LaunchDaemons/com.apple.afctl.plist
The launchd plist file for afctl
/var/run/af_state A state file telling afctl what to do when it launches.
/var/db/af/whitelist The file used to store the whitelist
/var/db/af/blacklist The file used to store the list of blocked addresses