From 0e83e105c689bba66ff99b9582ca54b5864b1175 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 3 Oct 2011 12:33:31 -0700 Subject: [PATCH] Implement BLACKLIST section in the rules file Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 9 + Shorewall/Perl/Shorewall/Rules.pm | 48 ++++- Shorewall/configfiles/rules | 1 + docs/blacklisting_support.xml | 323 ++++++++++++++++------------- manpages/shorewall-rules.xml | 78 +++++-- manpages/shorewall.conf.xml | 22 +- manpages6/shorewall6-rules.xml | 47 ++++- manpages6/shorewall6.conf.xml | 28 ++- 8 files changed, 356 insertions(+), 200 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index c84a4c1ac..b4ce47826 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -110,6 +110,7 @@ our %EXPORT_TAGS = ( pop_comment forward_chain rules_chain + blacklist_chain zone_forward_chain use_forward_chain input_chain @@ -1478,6 +1479,13 @@ sub rules_chain ($$) { $renamed{$name} || $name; } +# +# Name of the blacklist chain between an ordered pair of zones +# +sub blacklist_chain($$) { + &rules_chain(@_) . '~'; +} + # # Forward Chain for an interface # @@ -2234,6 +2242,7 @@ sub initialize_chain_table($) { 'NFQUEUE!' => STANDARD + NFQ, 'ADD' => STANDARD + SET, 'DEL' => STANDARD + SET, + 'WHITELIST' => STANDARD ); for my $chain ( qw(OUTPUT PREROUTING) ) { diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 2d70d3b9d..8110f2812 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -145,7 +145,8 @@ sub initialize( $ ) { # # These are set to 1 as sections are encountered. # - %sections = ( ALL => 0, + %sections = ( BLACKLIST => 0, + ALL => 0, ESTABLISHED => 0, RELATED => 0, NEW => 0 @@ -744,7 +745,7 @@ sub ensure_rules_chain( $ ) my $chainref = ensure_chain 'filter', $chain; unless ( $chainref->{referenced} ) { - if ( $section eq 'NEW' or $section eq 'DONE' ) { + if ( $section =~/^(NEW|DONE)$/ ) { finish_chain_section $chainref , 'ESTABLISHED,RELATED'; } elsif ( $section eq 'RELATED' ) { finish_chain_section $chainref , 'ESTABLISHED'; @@ -1671,6 +1672,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { my $inaction = ''; my $normalized_target; my $normalized_action; + my $blacklist = $section eq 'BLACKLIST'; ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref; @@ -1737,7 +1739,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { # # We can now dispense with the postfix character # - $action =~ s/[\+\-!]$//; + fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist; # # Handle actions # @@ -1771,8 +1773,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//; } - if ( $inaction ) { - $targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ) + if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) { + $targets{$inaction} |= NATRULE if $inaction; + fatal_error "NAT rules are not allowed in the BLACKLIST section" if $blacklist; } # # Take care of irregular syntax and targets @@ -1796,6 +1799,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { } , REJECT => sub { $action = 'reject'; } , CONTINUE => sub { $action = 'RETURN'; } , + WHITELIST => sub { fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section" if $blacklist; + $action = 'RETURN'; } , COUNT => sub { $action = ''; } , LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } , ); @@ -1921,7 +1926,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { # # Handle Optimization # - if ( $optimize > 0 ) { + if ( $optimize > 0 && $section eq 'NEW' ) { my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel}; if ( $loglevel ne '' ) { return 0 if $target eq "${policy}:$loglevel}"; @@ -1937,6 +1942,25 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { # Don't let the rules in this chain be moved elsewhere # dont_move $chainref; + # + # Handle creation of the blacklist chain + # + if ( $blacklist ) { + my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} ); + my $blacklistref = $filter_table->{$blacklistchain}; + + unless ( $blacklistref ) { + my @state; + $blacklistref = new_chain 'filter', $blacklistchain; + @state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY}; + add_ijump( $chainref, j => $blacklistref, @state ); + } + + $chain = $blacklistchain; + $chainref = $blacklistref; + } + + dont_move $chainref if $action eq 'RETURN'; } } # @@ -1972,7 +1996,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { unless ( $section eq 'NEW' || $inaction ) { fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); - $rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL'; + $rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist; } # @@ -2264,13 +2288,15 @@ sub process_section ($) { fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect}; $sections{$sect} = 1; - if ( $sect eq 'ESTABLISHED' ) { - $sections{ALL} = 1; + if ( $sect eq 'ALL' ) { + $sections{BLACKLIST} = 1; + } elsif ( $sect eq 'ESTABLISHED' ) { + $sections{'BLACKLIST','ALL'} = ( 1, 1); } elsif ( $sect eq 'RELATED' ) { - @sections{'ALL','ESTABLISHED'} = ( 1, 1); + @sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1); finish_section 'ESTABLISHED'; } elsif ( $sect eq 'NEW' ) { - @sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 ); + @sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 ); finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); } diff --git a/Shorewall/configfiles/rules b/Shorewall/configfiles/rules index ca0f874b5..e6b6e7812 100644 --- a/Shorewall/configfiles/rules +++ b/Shorewall/configfiles/rules @@ -9,6 +9,7 @@ ###################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP +#SECTION BLACKLIST #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index ca761f5da..9e7e3b0dd 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -48,9 +48,10 @@
Introduction - Shorewall supports two different forms of blacklisting; static and - dynamic. The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf - controls the degree of blacklist filtering: + Shorewall supports two different types of blackliisting; rule-based, + static and dynamic. The BLACKLISTNEWONLY option in + /etc/shorewall/shorewall.conf controls the degree of blacklist + filtering: @@ -62,10 +63,28 @@ BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new connection requests. Blacklists may not be used to terminate - existing connections. Only the source address is checked against the - blacklists. + existing connections. +
+ +
+ Rule-based Blacklisting + + Beginning with Shorewall 4.4.25, the preferred method of + blacklisting and whitelisting is to use the BLACKLIST section of the rules + file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST + actions, standard and custom macros as well as standard and custom + actions. See shorewall-rules (5). +
+ +
+ Legacy Blacklisting + + Prior to 4.4.25, two forms of blacklisting were supported; static + and dynamic. The dynamic variety is still appropriate for on the fly + blacklisting; the static form is deprecated. By default, only the source address is @@ -96,191 +115,197 @@ load, and will have a very negative effect on firewall performance. -
-
- Static Blacklisting +
+ Static Blacklisting - Shorewall static blacklisting support has the following - configuration parameters: + Shorewall static blacklisting support has the following + configuration parameters: - - - You specify whether you want packets from blacklisted hosts - dropped or rejected using the BLACKLIST_DISPOSITION setting in shorewall.conf(5). - + + + You specify whether you want packets from blacklisted hosts + dropped or rejected using the BLACKLIST_DISPOSITION setting in + shorewall.conf(5). + - - You specify whether you want packets from blacklisted hosts - logged and at what syslog level using the BLACKLIST_LOGLEVEL setting - in shorewall.conf(5). - + + You specify whether you want packets from blacklisted hosts + logged and at what syslog level using the BLACKLIST_LOGLEVEL setting + in shorewall.conf(5). + - - You list the IP addresses/subnets that you wish to blacklist in - shorewall-blacklist - (5). You may also specify PROTOCOL and Port numbers/Service names in - the blacklist file. - + + You list the IP addresses/subnets that you wish to blacklist + in shorewall-blacklist + (5). You may also specify PROTOCOL and Port numbers/Service names in + the blacklist file. + - - You specify the interfaces whose incoming packets you want - checked against the blacklist using the blacklist - option in shorewall-interfaces(5) - (shorewall-zones(5) - in Shorewall 4.4.12 and later). - - + + You specify the interfaces whose incoming packets you want + checked against the blacklist using the blacklist + option in shorewall-interfaces(5) + (shorewall-zones(5) in + Shorewall 4.4.12 and later). + + - Users with a large static black list may want to set the - DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version - 2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections - before loading the blacklist rules. While this may allow connections from - blacklisted hosts to slip by during construction of the blacklist, it can - substantially reduce the time that all new connections are disabled during - "shorewall [re]start". + Prior to Shorewall 4.4.20, only source-address static blacklisting + was supported. - Beginning with Shorewall 2.4.0, you can use ipsets to define your static blacklist. Here's - an example: + Users with a large static black list may want to set the + DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version + 2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new + connections before loading the blacklist rules. While this may allow + connections from blacklisted hosts to slip by during construction of the + blacklist, it can substantially reduce the time that all new connections + are disabled during "shorewall [re]start". - #ADDRESS/SUBNET PROTOCOL PORT + Beginning with Shorewall 2.4.0, you can use ipsets to define your static blacklist. Here's + an example: + + #ADDRESS/SUBNET PROTOCOL PORT +Blacklistports[dst] +Blacklistnets[src,dst] +Blacklist[src,dst] #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - In this example, there is a portmap ipset - Blacklistports that blacklists all traffic with - destination ports included in the ipset. There are also - Blacklistnets (type nethash) and - Blacklist (type iphash) ipsets - that allow blacklisting networks and individual IP addresses. Note that - [src,dst] is specified so that individual entries in the sets can be bound - to other portmap ipsets to allow blacklisting (source - address, destination port) combinations. - For example: + In this example, there is a portmap ipset + Blacklistports that blacklists all traffic with + destination ports included in the ipset. There are also + Blacklistnets (type nethash) + and Blacklist (type iphash) + ipsets that allow blacklisting networks and individual IP addresses. + Note that [src,dst] is specified so that individual entries in the sets + can be bound to other portmap ipsets to allow blacklisting + (source address, destination + port) combinations. For example: - ipset -N SMTP portmap --from 1 --to 31 + ipset -N SMTP portmap --from 1 --to 31 ipset -A SMTP 25 ipset -A Blacklist 206.124.146.177 ipset -B Blacklist 206.124.146.177 -b SMTP - This will blacklist SMTP traffic from host 206.124.146.177. -
+ This will blacklist SMTP traffic from host 206.124.146.177. +
-
- Static Whitelisting +
+ Static Whitelisting - Beginning with Shorewall 4.4.20, you can create - whitelist entries in the blacklist file. - Connections/packets matching a whitelist entry are not matched against the - entries in the blacklist file that follow. Whitelist entries are created - using the whitelist option (OPTIONS - column). See shorewall-blacklist - (5). -
+ Beginning with Shorewall 4.4.20, you can create + whitelist entries in the blacklist file. + Connections/packets matching a whitelist entry are not matched against + the entries in the blacklist file that follow. Whitelist entries are + created using the whitelist option + (OPTIONS column). See shorewall-blacklist + (5). +
-
- Dynamic Blacklisting +
+ Dynamic Blacklisting - Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by - setting DYNAMIC_BLACKLIST=Yes in shorewall.conf. - Prior to that release, the feature is always enabled. + Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by + setting DYNAMIC_BLACKLIST=Yes in shorewall.conf. + Prior to that release, the feature is always enabled. - Once enabled, dynamic blacklisting doesn't use any configuration - parameters but is rather controlled using /sbin/shorewall[-lite] commands. - Note that to and from may - only be specified when running Shorewall 4.4.12 or - later. + Once enabled, dynamic blacklisting doesn't use any configuration + parameters but is rather controlled using /sbin/shorewall[-lite] + commands. Note that to and from may + only be specified when running Shorewall 4.4.12 or + later. - - - drop [to|from] <ip address list> - - causes packets from the listed IP addresses to be silently dropped by - the firewall. - + + + drop [to|from] <ip address list> - + causes packets from the listed IP addresses to be silently dropped + by the firewall. + - - reject [to|from]<ip address list> - - causes packets from the listed IP addresses to be rejected by the - firewall. - + + reject [to|from]<ip address list> - + causes packets from the listed IP addresses to be rejected by the + firewall. + - - allow [to|from] <ip address list> - - re-enables receipt of packets from hosts previously blacklisted by a - drop or reject - command. - + + allow [to|from] <ip address list> - + re-enables receipt of packets from hosts previously blacklisted by a + drop or reject + command. + - - save - save the dynamic blacklisting configuration so that it - will be automatically restored the next time that the firewall is - restarted. + + save - save the dynamic blacklisting configuration so that it + will be automatically restored the next time that the firewall is + restarted. - Update: Beginning with - Shorewall 4.4.10, the dynamic blacklist is automatically retained over - stop/start sequences and over - restart. - + Update: Beginning with + Shorewall 4.4.10, the dynamic blacklist is automatically retained + over stop/start sequences and over + restart. + - - show dynamic - displays the dynamic blacklisting - configuration. - + + show dynamic - displays the dynamic blacklisting + configuration. + - - logdrop [to|from] <ip address list> - - causes packets from the listed IP addresses to be dropped and logged - by the firewall. Logging will occur at the level specified by the - BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at - the 'info' level if no BLACKLIST_LOGLEVEL was given). - + + logdrop [to|from] <ip address list> + - causes packets from the listed IP addresses to be dropped and + logged by the firewall. Logging will occur at the level specified by + the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will + be at the 'info' level if no BLACKLIST_LOGLEVEL was given). + - - logreject [to|from}<ip address list> - - causes packets from the listed IP addresses to be rejected and - logged by the firewall. Logging will occur at the level specified by - the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be - at the 'info' level if no BLACKLIST_LOGLEVEL was given). - - + + logreject [to|from}<ip address + list> - causes packets from the listed IP addresses to + be rejected and logged by the firewall. Logging will occur at the + level specified by the BLACKLIST_LOGLEVEL setting at the last + [re]start (logging will be at the 'info' level if no + BLACKLIST_LOGLEVEL was given). + + - Dynamic blacklisting is not dependent on the - blacklist option in - /etc/shorewall/interfaces. + Dynamic blacklisting is not dependent on the + blacklist option in + /etc/shorewall/interfaces. - - Ignore packets from a pair of systems + + Ignore packets from a pair of systems - shorewall[-lite] drop 192.0.2.124 192.0.2.125 + shorewall[-lite] drop 192.0.2.124 192.0.2.125 - Drops packets from hosts 192.0.2.124 and 192.0.2.125 - + Drops packets from hosts 192.0.2.124 and 192.0.2.125 + - - Re-enable packets from a system + + Re-enable packets from a system - shorewall[-lite] allow 192.0.2.125 + shorewall[-lite] allow 192.0.2.125 - Re-enables traffic from 192.0.2.125. - + Re-enables traffic from 192.0.2.125. + - - Displaying the Dynamic Blacklist + + Displaying the Dynamic Blacklist - shorewall show dynamic + shorewall show dynamic - Displays the 'dynamic' chain which contains rules for the dynamic - blacklist. The source column contains the set of - blacklisted addresses. - + Displays the 'dynamic' chain which contains rules for the + dynamic blacklist. The source column contains + the set of blacklisted addresses. + +
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index d941e79af..d49190ada 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -46,11 +46,25 @@ Sections are as follows and must appear in the order listed: + + BLACKLIST + + + This section was added in Shorewall 4.4.25. Rules in this + section are applied depending on the setting of BLACKLISTNEWONLY in + shorewall.conf(5). If + BLACKLISTNEWONLY=No, then they are applied regardless of the + connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, + they are applied to connections in the NEW and INVALID + states. + + + ALL - This section was added in Shorewall 4.4.23. rules in this + This section was added in Shorewall 4.4.23. Rules in this section are applied, regardless of the connection tracking state of the packet. @@ -101,14 +115,15 @@ comfortable with the differences between the various connection tracking states, then it is suggested that you omit the ESTABLISHED and RELATED sections and place all of your rules in - the NEW section (That's after the line that reads SECTION NEW'). + role="bold">RELATED sections and place all of your + non-blacklisting rules in the NEW section (That's after the line that + reads SECTION NEW'). If you specify FASTACCEPT=Yes in shorewall.conf(5) then the ESTABLISHED and BLACKLIST, ALL, ESTABLISHED and RELATED sections must be empty. @@ -171,7 +186,8 @@ role="bold">DNAT[-] or REDIRECT[-] rules + role="bold">-] rules. Not available in the + BLACKLIST section. @@ -181,7 +197,9 @@ like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="shorewall.conf.html">shorewall.conf(5). Not + available in the BLACKLIST + section. @@ -191,7 +209,9 @@ Added in Shorewall 4.4.20. Audited versions of ACCEPT, ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support - in the kernel and iptables. + in the kernel and iptables. A_ACCEPT+ and A_ACCEPT! are not + available in the BLACKLIST + section. @@ -202,7 +222,8 @@ Excludes the connection from any subsequent DNAT[-] or REDIRECT[-] rules but doesn't generate - a rule to accept the traffic. + a rule to accept the traffic. Not available in the BLACKLIST section. @@ -220,7 +241,10 @@ like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="shorewall.conf.html">shorewall.conf(5). Not + available in the BLACKLIST + section. Not available in the BLACKLIST section. @@ -230,7 +254,10 @@ Added in Shorewall 4.4.20. Audited versions of DROP and DROP! respectively. Require AUDIT_TARGET support in the kernel - and iptables. + and iptables. A_DROP! is not available in the BLACKLIST section. A_DROP! is not + available in the BLACKLIST + section. @@ -249,7 +276,9 @@ like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="shorewall.conf.html">shorewall.conf(5). Not + available in the BLACKLIST + section. @@ -259,7 +288,8 @@ Added in Shorewall 4.4.20. Audited versions of REJECT and REJECT! respectively. Require AUDIT_TARGET support in the - kernel and iptables. + kernel and iptables. A_REJECT! is not available in the + BLACKLIST section. @@ -281,7 +311,8 @@ Like DNAT but only generates the DNAT iptables rule and not the companion ACCEPT rule. + role="bold">ACCEPT rule. Not available in the + BLACKLIST section. @@ -303,7 +334,8 @@ Like REDIRECT but only generates the REDIRECT iptables rule and not the companion ACCEPT rule. + role="bold">ACCEPT rule. Not available in the + BLACKLIST section. @@ -331,7 +363,9 @@ like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="shorewall.conf.html">shorewall.conf(5). Not + available in the BLACKLIST + section. @@ -360,7 +394,9 @@ like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall.conf(5). + url="shorewall.conf.html">shorewall.conf(5). Not + available in the BLACKLIST + section. @@ -497,6 +533,16 @@ rule, it is passed on to the next rule. + + + WHITELIST + + + Added in Shorewall 4.4.25. May only appear in the + BLACKLIST section and exempts + the packet from following rules in that section. + + The target may optionally be diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index c878622f6..8d1d3abe5 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -330,6 +330,10 @@ A_DROP and A_REJECT are audited versions of DROP and REJECT respectively and were added in Shorewall 4.4.20. They require AUDIT_TARGET in the kernel and iptables. + + The BLACKLIST_DISPOSITION setting has no effect on entries in + the BLACKLIST section of shorewall-rules (5). @@ -343,7 +347,9 @@ logged at. Its value is a syslog level (Example: BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not - logged. + logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in + the BLACKLIST section of shorewall-rules (5). @@ -354,11 +360,15 @@ When set to Yes or yes, blacklists are only consulted for new - connections. When set to No or - no, blacklists are consulted for - every packet (will slow down your firewall noticably if you have - large blacklists). If the BLACKLISTNEWONLY option is not set or is - set to the empty value then BLACKLISTNEWONLY=No is assumed. + connections. That includes entries in the BLACKLIST section of + shorewall-rules (5). + + + When set to No or no, blacklists are consulted for every packet + (will slow down your firewall noticably if you have large + blacklists). If the BLACKLISTNEWONLY option is not set or is set to + the empty value then BLACKLISTNEWONLY=No is assumed. BLACKLISTNEWONLY=No is incompatible with diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml index ce9ecbc85..c73a7dd66 100644 --- a/manpages6/shorewall6-rules.xml +++ b/manpages6/shorewall6-rules.xml @@ -39,6 +39,20 @@ Sections are as follows and must appear in the order listed: + + BLACKLIST + + + This section was added in Shorewall 4.4.25. Rules in this + section are applied depending on the setting of BLACKLISTNEWONLY in + shorewall.conf(5). If + BLACKLISTNEWONLY=No, then they are applied regardless of the + connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, + they are applied to connections in the NEW and INVALID + states. + + + ALL @@ -157,7 +171,9 @@ like ACCEPT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="shorewall6.conf.html">shorewall6.conf(5). Not + available in the BLACKLIST + section. @@ -167,7 +183,8 @@ Added in Shorewall 4.4.20. Audited versions of ACCEPT and ACCEPT! respectively. Require AUDIT_TARGET support in the - kernel and ip6tables. + kernel and ip6tables. A_ACCEPT! is not available in the + BLACKLIST section. @@ -185,7 +202,9 @@ like DROP but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="shorewall6.conf.html">shorewall6.conf(5). Not + available in the BLACKLIST + section. @@ -195,7 +214,8 @@ Added in Shorewall 4.4.20. Audited versions of DROP and DROP! respectively. Require AUDIT_TARGET support in the kernel - and ip6tables. + and ip6tables. A_DROP! is not available in the BLACKLIST section. @@ -214,7 +234,9 @@ like REJECT but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="shorewall6.conf.html">shorewall6.conf(5). Not + available in the BLACKLIST + section. @@ -224,7 +246,8 @@ Added in Shorewall 4.4.20. Audited versions of REJECT and REJECT! respectively. Require AUDIT_TARGET support in the - kernel and ip6tables. + kernel and ip6tables. A_REJECT! is not available in the + BLACKLIST section. @@ -252,7 +275,9 @@ like CONTINUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="shorewall6.conf.html">shorewall6.conf(5). Not + available in the BLACKLIST + section. @@ -281,7 +306,9 @@ like QUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="shorewall6.conf.html">shorewall6.conf(5). Not + available in the BLACKLIST + section. @@ -313,7 +340,9 @@ like NFQUEUE but exempts the rule from being suppressed by OPTIMIZE=1 in shorewall6.conf(5). + url="shorewall6.conf.html">shorewall6.conf(5). Not + available in the BLACKLIST + section. diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index ede211abb..cc5bba148 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -261,7 +261,10 @@ blacklisted hosts. It may have the value DROP if the packets are to be dropped or REJECT if the packets are to be replied with an ICMP port unreachable reply or a TCP RST (tcp only). If you do not assign - a value or if you assign an empty value then DROP is assumed. + a value or if you assign an empty value then DROP is assumed. The + BLACKLIST_DISPOSITION setting has no effect on entries in the + BLACKLIST section of shorewall6-rules (5). @@ -275,7 +278,9 @@ logged at. Its value is a syslog level (Example: BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you assign an empty value then packets from blacklisted hosts are not - logged. + logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in + the BLACKLIST section of shorewall6-rules (5). @@ -286,11 +291,15 @@ When set to Yes or yes, blacklists are only consulted for new - connections. When set to No or - no, blacklists are consulted for - every packet (will slow down your firewall noticably if you have - large blacklists). If the BLACKLISTNEWONLY option is not set or is - set to the empty value then BLACKLISTNEWONLY=No is assumed. + connections. This includes entries in the BLACKLIST section of + shorewall6-rules + (5). + + When set to No or no, blacklists are consulted for every packet + (will slow down your firewall noticably if you have large + blacklists). If the BLACKLISTNEWONLY option is not set or is set to + the empty value then BLACKLISTNEWONLY=No is assumed. BLACKLISTNEWONLY=No is incompatible with @@ -1691,8 +1700,9 @@ net all DROP infothen the chain name is 'net2all' shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5), - shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5), - shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5), + shorewall6-nat(5), shorewall6-netmap(5), + shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), + shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),