2011-11-06 17:43:38 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
|
|
<refentry>
|
|
|
|
<refmeta>
|
|
|
|
<refentrytitle>shorewall-blrules</refentrytitle>
|
|
|
|
|
|
|
|
<manvolnum>5</manvolnum>
|
2014-01-16 17:32:57 +01:00
|
|
|
|
|
|
|
<refmiscinfo>Configuration Files</refmiscinfo>
|
2011-11-06 17:43:38 +01:00
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
<refname>blrules</refname>
|
|
|
|
|
|
|
|
<refpurpose>shorewall Blacklist file</refpurpose>
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
2017-06-17 00:01:41 +02:00
|
|
|
<command>/etc/shorewall[6]/blrules</command>
|
2011-11-06 17:43:38 +01:00
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
|
2011-11-06 23:46:14 +01:00
|
|
|
<para>This file is used to perform blacklisting and whitelisting.</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
2017-06-17 00:01:41 +02:00
|
|
|
<para>Rules in this file are applied depending on the setting of BLACKLIST
|
|
|
|
in <ulink
|
|
|
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<para>The format of rules in this file is the same as the format of rules
|
2014-01-16 17:32:57 +01:00
|
|
|
in <ulink url="/manpages/shorewall-rules.html">shorewall-rules
|
|
|
|
(5)</ulink>. The difference in the two files lies in the ACTION (first)
|
|
|
|
column.</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">ACTION- {<emphasis
|
2013-04-24 17:17:10 +02:00
|
|
|
role="bold">ACCEPT</emphasis>|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
|
2012-02-18 00:33:45 +01:00
|
|
|
role="bold">WHITELIST</emphasis>|<emphasis
|
2011-11-06 17:43:38 +01:00
|
|
|
role="bold">LOG</emphasis>|<emphasis
|
|
|
|
role="bold">QUEUE</emphasis>|<emphasis
|
|
|
|
role="bold">NFQUEUE</emphasis>[<emphasis
|
|
|
|
role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
|
|
|
|
role="bold">)</emphasis>]<emphasis
|
2012-12-23 00:47:03 +01:00
|
|
|
role="bold">|[?]COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
|
2011-11-06 17:43:38 +01:00
|
|
|
role="bold">(</emphasis><emphasis>target</emphasis><emphasis
|
|
|
|
role="bold">)</emphasis>]}<emphasis
|
|
|
|
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
|
|
|
|
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
|
|
|
|
role="bold">!</emphasis></emphasis>][<emphasis
|
|
|
|
role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Specifies the action to be taken if the packet matches the
|
|
|
|
rule. Must be one of the following.</para>
|
|
|
|
|
|
|
|
<variablelist>
|
2011-11-20 00:18:43 +01:00
|
|
|
<varlistentry>
|
2012-05-05 17:56:55 +02:00
|
|
|
<term><emphasis role="bold">BLACKLIST</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Added in Shorewall 4.5.3. This is actually a macro that
|
|
|
|
expands as follows:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>If BLACKLIST_LOGLEVEL is specified in <ulink
|
2014-01-16 17:32:57 +01:00
|
|
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5),
|
|
|
|
then the macro expands to <emphasis
|
2012-05-05 17:56:55 +02:00
|
|
|
role="bold">blacklog</emphasis>.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Otherwise it expands to the action specified for
|
|
|
|
BLACKLIST_DISPOSITION in <ulink
|
2014-01-12 22:40:03 +01:00
|
|
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
2012-05-05 17:56:55 +02:00
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">blacklog</emphasis></term>
|
2011-11-20 00:18:43 +01:00
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>May only be used if BLACKLIST_LOGLEVEL is specified in
|
2014-01-16 17:32:57 +01:00
|
|
|
<ulink url="/manpages/shorewall.conf.html">shorewall.conf
|
|
|
|
</ulink>(5). Logs, audits (if specified) and applies the
|
2011-11-20 00:18:43 +01:00
|
|
|
BLACKLIST_DISPOSITION specified in <ulink
|
2014-01-16 17:32:57 +01:00
|
|
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
|
|
|
|
(5).</para>
|
2011-11-20 00:18:43 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
2011-11-06 17:43:38 +01:00
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis
|
|
|
|
role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Exempt the packet from the remaining rules in this
|
|
|
|
file.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">DROP</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Ignore the packet.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2017-06-17 00:01:41 +02:00
|
|
|
<term>A_DROP</term>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<listitem>
|
2017-06-17 00:01:41 +02:00
|
|
|
<para>Audited version of DROP. Requires AUDIT_TARGET support
|
2011-11-06 17:43:38 +01:00
|
|
|
in the kernel and ip6tables.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">REJECT</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>disallow the packet and return an icmp-unreachable or an
|
|
|
|
RST packet.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>A_REJECT</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Audited versions of REJECT. Require AUDIT_TARGET support
|
|
|
|
in the kernel and ip6tables.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">LOG</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Simply log the packet and continue with the next
|
|
|
|
rule.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">QUEUE</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Queue the packet to a user-space application such as
|
|
|
|
ftwall (http://p2pwall.sf.net). The application may reinsert
|
|
|
|
the packet for further processing.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis
|
|
|
|
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
|
|
|
|
|
|
|
<listitem>
|
2013-05-03 18:19:45 +02:00
|
|
|
<para>queues matching packets to a back end logging daemon via
|
2011-11-06 17:43:38 +01:00
|
|
|
a netlink socket then continues to the next rule. See <ulink
|
2017-06-09 00:43:59 +02:00
|
|
|
url="/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">NFQUEUE</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Queues the packet to a user-space application using the
|
|
|
|
nfnetlink_queue mechanism. If a
|
|
|
|
<replaceable>queuenumber</replaceable> is not specified, queue
|
|
|
|
zero (0) is assumed.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2015-08-22 17:00:38 +02:00
|
|
|
<term><emphasis role="bold">?COMMENT</emphasis></term>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<listitem>
|
2012-12-23 00:47:03 +01:00
|
|
|
<para>The rest of the line will be attached as a comment to
|
2011-11-06 17:43:38 +01:00
|
|
|
the Netfilter rule(s) generated by the following entries. The
|
|
|
|
comment will appear delimited by "/* ... */" in the output of
|
2011-11-06 23:46:14 +01:00
|
|
|
"shorewall show <chain>". To stop the comment from being
|
2015-08-22 17:00:38 +02:00
|
|
|
attached to further rules, simply include ?COMMENT on a line
|
|
|
|
by itself.</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis>action</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The name of an <emphasis>action</emphasis> declared in
|
|
|
|
<ulink
|
2014-01-16 17:32:57 +01:00
|
|
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
|
|
|
|
or in /usr/share/shorewall/actions.std.</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis>macro</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The name of a macro defined in a file named
|
|
|
|
macro.<emphasis>macro</emphasis>. If the macro accepts an
|
|
|
|
action parameter (Look at the macro source to see if it has
|
|
|
|
PARAM in the TARGET column) then the
|
|
|
|
<emphasis>macro</emphasis> name is followed by the
|
|
|
|
parenthesized <emphasis>target</emphasis> (<emphasis
|
|
|
|
role="bold">ACCEPT</emphasis>, <emphasis
|
|
|
|
role="bold">DROP</emphasis>, <emphasis
|
|
|
|
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
|
|
|
parameter.</para>
|
|
|
|
|
|
|
|
<para>Example: FTP(ACCEPT).</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
|
|
|
|
<para>The <emphasis role="bold">ACTION</emphasis> may optionally be
|
|
|
|
followed by ":" and a syslog log level (e.g, REJECT:info or
|
|
|
|
Web(ACCEPT):debug). This causes the packet to be logged at the
|
|
|
|
specified level.</para>
|
|
|
|
|
|
|
|
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
|
|
|
<emphasis>action</emphasis> declared in <ulink
|
2014-01-16 17:32:57 +01:00
|
|
|
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5)
|
|
|
|
or in /usr/share/shorewall/actions.std then:</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>If the log level is followed by "!' then all rules in the
|
|
|
|
action are logged at the log level.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If the log level is not followed by "!" then only those
|
|
|
|
rules in the action that do not specify logging are logged at
|
|
|
|
the specified level.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The special log level <emphasis
|
|
|
|
role="bold">none!</emphasis> suppresses logging by the
|
|
|
|
action.</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>You may also specify <emphasis role="bold">NFLOG</emphasis>
|
|
|
|
(must be in upper case) as a log level.This will log to the NFLOG
|
|
|
|
target for routing to a separate log through use of ulogd (<ulink
|
|
|
|
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
|
|
|
|
|
|
|
<para>Actions specifying logging may be followed by a log tag (a
|
|
|
|
string of alphanumeric characters) which is appended to the string
|
|
|
|
generated by the LOGPREFIX (in <ulink
|
2014-01-12 22:40:03 +01:00
|
|
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
|
|
|
|
<para>For the remaining columns, see <ulink
|
2014-01-12 22:40:03 +01:00
|
|
|
url="/manpages/shorewall-rules.html">shorewall-rules (5)</ulink>.</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
2017-06-17 00:01:41 +02:00
|
|
|
<title>Examples</title>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
2017-06-17 00:01:41 +02:00
|
|
|
<term>IPv4 Example 1:</term>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<listitem>
|
2011-11-06 21:05:07 +01:00
|
|
|
<para>Drop Teredo packets from the net.</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
2011-11-06 21:05:07 +01:00
|
|
|
<programlisting>DROP net:[2001::/32] all</programlisting>
|
2011-11-06 17:43:38 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
2017-06-17 00:01:41 +02:00
|
|
|
<term>IPv4 Example 2:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Don't subject packets from 2001:DB8::/64 to the remaining
|
|
|
|
rules in the file.</para>
|
|
|
|
|
|
|
|
<programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>IPv6 Example 1:</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Drop Teredo packets from the net.</para>
|
|
|
|
|
|
|
|
<programlisting>DROP net:[2001::/32] all</programlisting>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>IPv6 Example 2:</term>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<listitem>
|
2011-11-06 21:05:07 +01:00
|
|
|
<para>Don't subject packets from 2001:DB8::/64 to the remaining
|
|
|
|
rules in the file.</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
2011-11-06 21:05:07 +01:00
|
|
|
<programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting>
|
2011-11-06 17:43:38 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>FILES</title>
|
|
|
|
|
|
|
|
<para>/etc/shorewall/blrules</para>
|
2017-06-17 00:01:41 +02:00
|
|
|
|
|
|
|
<para>/etc/shorewall6/blrules</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See ALSO</title>
|
|
|
|
|
|
|
|
<para><ulink
|
2014-01-12 22:40:03 +01:00
|
|
|
url="/blacklisting_support.htm">http://www.shorewall.net/blacklisting_support.htm</ulink></para>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
|
|
|
<para><ulink
|
2014-01-12 22:40:03 +01:00
|
|
|
url="/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
2011-11-06 17:43:38 +01:00
|
|
|
|
2017-06-17 02:11:43 +02:00
|
|
|
<para>shorewall(8)</para>
|
2011-11-06 17:43:38 +01:00
|
|
|
</refsect1>
|
|
|
|
</refentry>
|