From 3f3e59f0edfa9adb4465b7d82c8df02ac3bedc25 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 26 Dec 2003 19:27:27 +0000 Subject: [PATCH] Convert blacklisting_support.htm to Docbook XML git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@978 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/blacklisting_support.htm | 91 -------------- Shorewall-docs/blacklisting_support.xml | 156 ++++++++++++++++++++++++ 2 files changed, 156 insertions(+), 91 deletions(-) delete mode 100644 Shorewall-docs/blacklisting_support.htm create mode 100644 Shorewall-docs/blacklisting_support.xml diff --git a/Shorewall-docs/blacklisting_support.htm b/Shorewall-docs/blacklisting_support.htm deleted file mode 100644 index f21c88ed9..000000000 --- a/Shorewall-docs/blacklisting_support.htm +++ /dev/null @@ -1,91 +0,0 @@ - - - - - - - - Blacklisting Support - - -

Shorewall Blacklisting Support
-

-

Shorewall supports two different forms of blacklisting; static and -dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY -option in /etc/shorewall/shorewall.conf controls the degree of -blacklist filtering:
-

-
    -
  1. BLACKLISTNEWONLY=No --  All incoming packets are checked -against the blacklist. New blacklist entries can be used to terminate -existing connections. Versions of Shorewall prior to 1.4.8 behave in -this manner.
    -
    2. -
  2. BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new -connection requests. Blacklists may not be used to terminate existing -connections.
    3. -
-Only the source address is checked against the blacklists.
-

Static Blacklisting

-

Shorewall static blacklisting support has the following -configuration -parameters:

- -

Dynamic Blacklisting

-

Dynamic blacklisting support was added in version 1.3.2. Dynamic -blacklisting doesn't use any configuration parameters but is rather -controlled using /sbin/shorewall commands:

- -Dynamic blacklisting is not dependent on the "blacklist" option -in /etc/shorewall/interfaces.
-

Example 1:

-
     shorewall drop 192.0.2.124 192.0.2.125
-

    Drops packets from hosts 192.0.2.124 and -192.0.2.125

-

Example 2:

-
     shorewall allow 192.0.2.125
-

    Reenables access from 192.0.2.125.

-

Last updated 11/14/2003 - Tom -Eastep

-

Copyright2002, 2003 Thomas M. Eastep.

-
-
-
-
-
- - diff --git a/Shorewall-docs/blacklisting_support.xml b/Shorewall-docs/blacklisting_support.xml new file mode 100644 index 000000000..6126fec4f --- /dev/null +++ b/Shorewall-docs/blacklisting_support.xml @@ -0,0 +1,156 @@ + + +
+ + Shorewall Blacklisting Support + + + + Tom + + Eastep + + + + 2003-11-14 + + + 2002-2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. + + + +
+ Introduction + + Shorewall supports two different forms of blacklisting; static and + dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY + option in /etc/shorewall/shorewall.conf controls the degree of blacklist + filtering: + + + + BLACKLISTNEWONLY=No --  All incoming packets are checked + against the blacklist. New blacklist entries can be used to terminate + existing connections. Versions of Shorewall prior to 1.4.8 behave in + this manner. + + + + BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for + new connection requests. Blacklists may not be used to terminate + existing connections. Only the source address is checked against the + blacklists. + + + + Only the source address is checked against the blacklists. +
+ +
+ Static Blacklisting + + Shorewall static blacklisting support has the following + configuration parameters: + + + + You specify whether you want packets from blacklisted hosts + dropped or rejected using the BLACKLIST_DISPOSITION setting in /etc/shorewall/shorewall.conf. + + + + You specify whether you want packets from blacklisted hosts + logged and at what syslog level using the BLACKLIST_LOGLEVEL setting + in /etc/shorewall/shorewall.conf. + + + + You list the IP addresses/subnets that you wish to blacklist in + /etc/shorewall/blacklist. + Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL + and Port numbers/Service names in the blacklist file. + + + + You specify the interfaces whose incoming packets you want + checked against the blacklist using the "blacklist" option in + /etc/shorewall/interfaces. + + + + The black list is refreshed from /etc/shorewall/blacklist by the + "shorewall + refresh" command. + + +
+ +
+ Dynamic Blacklisting + + Dynamic blacklisting support was added in version 1.3.2. Dynamic + blacklisting doesn't use any configuration parameters but is rather + controlled using /sbin/shorewall commands: + + + + drop <ip address list> - causes + packets from the listed IP addresses to be silently dropped by the + firewall. + + + + reject <ip address list> - causes + packets from the listed IP addresses to be rejected by the firewall. + + + + allow <ip address list> - + re-enables receipt of packets from hosts previously blacklisted by a + drop or reject command. + + + + save - save the dynamic blacklisting configuration so that it + will be automatically restored the next time that the firewall is + restarted. + + + + show dynamic - displays the dynamic blacklisting configuration. + + + + Dynamic blacklisting is not dependent on the "blacklist" + option in /etc/shorewall/interfaces. + + + Ingore packets from a pair if systems + + shorewall drop 192.0.2.124 192.0.2.125 + + Drops packets from hosts 192.0.2.124 and 192.0.2.125 + + + + Re-enable packetes from a system + + shorewall allow 192.0.2.125 + + Re-enables traffic from 192.0.2.125. + +
+
\ No newline at end of file