shorewall_code/manpages/shorewall-blacklist.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall-blacklist</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>blacklist</refname>

    <refpurpose>Shorewall Blacklist file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall/blacklist</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>The blacklist file is used to perform static blacklisting. You can
    blacklist by source address (IP or MAC), or by application.</para>

    <para>The columns in the file are as follows.</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>

        <listitem>
          <para>Host address, network address, MAC address, IP address range
          (if your kernel and iptables contain iprange match support) or ipset
          name prefaced by "+" (if your kernel supports ipset match).</para>

          <para>MAC addresses must be prefixed with "~" and use "-" as a
          separator.</para>

          <para>Example: ~00-A0-C9-15-39-78</para>

          <para>A dash ("-") in this column means that any source address will
          match. This is useful if you want to blacklist a particular
          application using entries in the PROTOCOL and PORTS columns.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
        {<emphasis
        role="bold">-</emphasis>|[!]<emphasis>protocol-number</emphasis>|[!]<emphasis>protocol-name</emphasis>}</term>

        <listitem>
          <para>If specified, must be a protocol number or a protocol name
          from protocols(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
        role="bold">-</emphasis>|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>

        <listitem>
          <para>May only be specified if the protocol is TCP (6) or UDP (17).
          A comma-separated list of destination port numbers or service names
          from services(5).</para>
        </listitem>
      </varlistentry>
    </variablelist>

    <para>When a packet arrives on an interface that has the <emphasis
    role="bold">blacklist</emphasis> option specified in <ulink
    url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5), its
    source IP address and MAC address is checked against this file and
    disposed of according to the <emphasis
    role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
    url="shorewall.conf.html">shorewall.conf</ulink>(5). If <emphasis
    role="bold">PROTOCOL</emphasis> or <emphasis
    role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
    are supplied, only packets matching the protocol (and one of the ports if
    <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <variablelist>
      <varlistentry>
        <term>Example 1:</term>

        <listitem>
          <para>To block DNS queries from address 192.0.2.126:</para>

          <programlisting>        #ADDRESS/SUBNET         PROTOCOL        PORT
        192.0.2.126             udp             53</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 2:</term>

        <listitem>
          <para>To block some of the nuisance applications:</para>

          <programlisting>        #ADDRESS/SUBNET         PROTOCOL        PORT
        -                       udp             1024:1033,1434
        -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall/blacklist</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para><ulink
    url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
</refentry>