2008-12-11 01:03:00 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-12-11 20:24:34 +01:00
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2008-12-11 01:03:00 +01:00
|
|
|
<refentry>
|
|
|
|
<refmeta>
|
2008-12-11 20:24:34 +01:00
|
|
|
<refentrytitle>shorewall6-blacklist</refentrytitle>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>blacklist</refname>
|
|
|
|
|
2008-12-11 20:24:34 +01:00
|
|
|
<refpurpose>shorewall6 Blacklist file</refpurpose>
|
2008-12-11 01:03:00 +01:00
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
2008-12-11 20:24:34 +01:00
|
|
|
<command>/etc/shorewall6/blacklist</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
<para>The blacklist file is used to perform static blacklisting. You can
|
|
|
|
blacklist by source address (IP or MAC), or by application.</para>
|
|
|
|
|
|
|
|
<para>The columns in the file are as follows.</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
|
|
|
|
role="bold">-</emphasis>|<emphasis
|
|
|
|
role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
|
|
|
|
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Host address, network address, MAC address, IP address range
|
2010-03-16 17:42:50 +01:00
|
|
|
(if your kernel and ip6tables contain iprange match support) or
|
|
|
|
ipset name prefaced by "+" (if your kernel supports ipset
|
|
|
|
match).</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<para>MAC addresses must be prefixed with "~" and use "-" as a
|
|
|
|
separator.</para>
|
|
|
|
|
|
|
|
<para>Example: ~00-A0-C9-15-39-78</para>
|
|
|
|
|
|
|
|
<para>A dash ("-") in this column means that any source address will
|
|
|
|
match. This is useful if you want to blacklist a particular
|
|
|
|
application using entries in the PROTOCOL and PORTS columns.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
|
|
|
|
{<emphasis
|
|
|
|
role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If specified, must be a protocol number or a protocol name
|
|
|
|
from protocols(5).</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
|
|
|
|
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
|
|
|
|
|
|
|
|
<listitem>
|
2010-03-16 17:42:50 +01:00
|
|
|
<para>May only be specified if the protocol is TCP (6), UDP (17),
|
|
|
|
DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
|
|
|
|
destination port numbers or service names from services(5).</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2010-08-11 02:33:50 +02:00
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>OPTIONS (Optional - Added in Shorewall 4.4.12) -
|
|
|
|
{-|to|from|}</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If specified, indicates whether traffic <option>to</option> or
|
|
|
|
<option>from</option> the ADDRESS/SUBNET should be blacklisted. The
|
|
|
|
default is <emphasis role="bold">from</emphasis>. If the
|
|
|
|
ADDRESS/SUBNET column is empty, then this column has no effect on
|
|
|
|
the generated rule.</para>
|
|
|
|
|
|
|
|
<note>
|
|
|
|
<para>Blacklisting is still restricted to traffic
|
|
|
|
<emphasis>arriving</emphasis> on an interface that has the
|
|
|
|
'blacklist' option set. So to block traffic from your local
|
|
|
|
network to an internet host, you must specify
|
|
|
|
<option>blacklist</option> on your internal interface in <ulink
|
|
|
|
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
|
|
|
|
(5).</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
2008-12-11 01:03:00 +01:00
|
|
|
</variablelist>
|
|
|
|
|
|
|
|
<para>When a packet arrives on an interface that has the <emphasis
|
|
|
|
role="bold">blacklist</emphasis> option specified in <ulink
|
2008-12-11 20:24:34 +01:00
|
|
|
url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5), its
|
2008-12-11 01:03:00 +01:00
|
|
|
source IP address and MAC address is checked against this file and
|
|
|
|
disposed of according to the <emphasis
|
|
|
|
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
|
|
|
|
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
|
2008-12-11 20:24:34 +01:00
|
|
|
url="shorewall.conf.html">shorewall6.conf</ulink>(5). If <emphasis
|
2008-12-11 01:03:00 +01:00
|
|
|
role="bold">PROTOCOL</emphasis> or <emphasis
|
|
|
|
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
|
|
|
|
are supplied, only packets matching the protocol (and one of the ports if
|
|
|
|
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Example</title>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 1:</term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-11 20:24:34 +01:00
|
|
|
<para>To block DNS queries from address
|
|
|
|
fe80::2a0:ccff:fedb:31c4:</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
2008-12-11 20:24:34 +01:00
|
|
|
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
|
|
|
fe80::2a0:ccff:fedb:31c4/ udp 53</programlisting>
|
2008-12-11 01:03:00 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>Example 2:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>To block some of the nuisance applications:</para>
|
|
|
|
|
|
|
|
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
|
|
|
|
- udp 1024:1033,1434
|
|
|
|
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>FILES</title>
|
|
|
|
|
2008-12-11 20:24:34 +01:00
|
|
|
<para>/etc/shorewall6/blacklist</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See ALSO</title>
|
|
|
|
|
|
|
|
<para><ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
2008-12-11 20:24:34 +01:00
|
|
|
|
|
|
|
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
|
|
|
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
|
|
|
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
|
|
|
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
|
|
|
shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
|
|
|
|
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
|
|
|
shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</refsect1>
|
|
|
|
</refentry>
|