mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-16 03:10:39 +01:00
62 lines
2.9 KiB
HTML
62 lines
2.9 KiB
HTML
|
<html>
|
|||
|
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Language" content="en-us">
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
|||
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
|||
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
|||
|
<title>Blacklisting Support</title>
|
|||
|
<meta name="Microsoft Theme" content="boldstri 011, default">
|
|||
|
</head>
|
|||
|
|
|||
|
<body>
|
|||
|
|
|||
|
<h1 align="center">Blacklisting Support</h1>
|
|||
|
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
|
|||
|
<h2>Static Blacklisting</h2>
|
|||
|
<p>Shorewall
|
|||
|
static blacklisting support has the following configuration parameters:</p>
|
|||
|
<ul>
|
|||
|
<li>You specify whether you want packets from blacklisted hosts dropped or
|
|||
|
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
|
|||
|
setting in /etc/shorewall/shorewall.conf</li>
|
|||
|
<li>You specify whether you want packets from blacklisted hosts logged and at
|
|||
|
what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>
|
|||
|
setting in /etc/shorewall/shorewall.conf</li>
|
|||
|
<li>You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
|
|||
|
<li>You specify the interfaces whose incoming packets you want checked against
|
|||
|
the blacklist using the "<a href="Documentation.htm#BLInterface">blacklist</a>"
|
|||
|
option in /etc/shorewall/interfaces.</li>
|
|||
|
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a href="Documentation.htm#Starting">shorewall
|
|||
|
refresh</a>" command.</li>
|
|||
|
</ul>
|
|||
|
<h2>Dynamic Blacklisting</h2>
|
|||
|
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
|
|||
|
doesn't use any configuration parameters but is rather controlled using
|
|||
|
/sbin/shorewall commands:</p>
|
|||
|
<ul>
|
|||
|
<li>deny <i><ip address list> </i>- causes packets from the listed IP
|
|||
|
addresses to be silently dropped by the firewall.</li>
|
|||
|
<li>reject <i><ip address list> </i>- causes packets from the listed IP
|
|||
|
addresses to be rejected by the firewall.</li>
|
|||
|
<li>allow <i><ip address list> </i>- re-enables receipt of packets from hosts
|
|||
|
previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
|
|||
|
<li>save - save the dynamic blacklisting configuration so that it will be
|
|||
|
automatically restored the next time that the firewall is restarted.</li>
|
|||
|
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
|
|||
|
</ul>
|
|||
|
<p>Example 1:</p>
|
|||
|
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
|
|||
|
<p> Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
|
|||
|
<p>Example 2:</p>
|
|||
|
<pre> shorewall allow 192.0.2.125</pre>
|
|||
|
<p> Reenables access from 192.0.2.125.</p>
|
|||
|
<p><font size="2">Last updated 6/16/2002 - <a href="support.htm">Tom
|
|||
|
Eastep</a></font></p>
|
|||
|
|
|||
|
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
|||
|
<EFBFBD> <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
|
|||
|
|
|||
|
</body>
|
|||
|
|
|||
|
</html>
|