shorewall_code/Shorewall-docs/blacklisting_support.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Blacklisting Support</title>
</head>
<body>
<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
</h1>
<p>Shorewall supports two different forms of blacklisting; static and
dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
option in /etc/shorewall/shorewall.conf controls the degree of
blacklist filtering:<br>
</p>
<ol>
  <li>BLACKLISTNEWONLY=No --&nbsp; All incoming packets are checked
against the blacklist. New blacklist entries can be used to terminate
existing connections. Versions of Shorewall prior to 1.4.8 behave in
this manner.<br>
  </li>
  <li>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new
connection requests. Blacklists may not be used to terminate existing
connections.</li>
</ol>
Only the source address is checked against the blacklists.<br>
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following
configuration
parameters:</p>
<ul>
  <li>You specify whether you want packets from blacklisted hosts
dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
  <li>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the <a
 href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li>
  <li>You list the IP addresses/subnets that you wish to blacklist in <a
 href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and
Port numbers/Service names in the blacklist file.<br>
  </li>
  <li>You specify the interfaces whose incoming packets you want
checked against the blacklist using the "<a
 href="Documentation.htm#Interfaces">blacklist</a>" option in
/etc/shorewall/interfaces.</li>
  <li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
 href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn't use any configuration parameters but is rather
controlled using /sbin/shorewall commands:</p>
<ul>
  <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be silently dropped by the firewall.</li>
  <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be rejected by the firewall.</li>
  <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of
packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
  <li>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</li>
  <li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
in /etc/shorewall/interfaces.<br>
<p>Example 1:</p>
<pre>     <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and
192.0.2.125</p>
<p>Example 2:</p>
<pre>     <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 11/14/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<EFBFBD> <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>