mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
Add BLACKLIST action
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
e6933f4c8d
commit
9c3a82f628
39
Shorewall/Actions/action.BLACKLIST
Normal file
39
Shorewall/Actions/action.BLACKLIST
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
#
|
||||||
|
# Shorewall - /usr/share/shorewall/action.BLACKLIST
|
||||||
|
#
|
||||||
|
# This action:
|
||||||
|
#
|
||||||
|
# - Adds the sender to the dynamic blacklist ipset
|
||||||
|
# - Optionally acts on the packet (default is DROP)
|
||||||
|
#
|
||||||
|
# Parameters:
|
||||||
|
#
|
||||||
|
# 1 - Action to take after adding the packet. Default is DROP.
|
||||||
|
# Pass -- if you don't want to take any action.
|
||||||
|
# 2 - Timeout for ipset entry. Default is the timeout specified in
|
||||||
|
# DYNAMIC_BLACKLIST or the one specified when the ipset was created.
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
?if ! "$SW_DBL_IPSET"
|
||||||
|
? error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
|
||||||
|
?endif
|
||||||
|
|
||||||
|
DEFAULTS DROP,-
|
||||||
|
|
||||||
|
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||||
|
#
|
||||||
|
# Add to the blacklist
|
||||||
|
#
|
||||||
|
?if passed(@2)
|
||||||
|
ADD($SW_DBL_IPSET:src:@2)
|
||||||
|
?elsif $SW_DBL_TIMEOUT
|
||||||
|
ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
|
||||||
|
?else
|
||||||
|
ADD($SW_DBL_IPSET:src)
|
||||||
|
?endif
|
||||||
|
#
|
||||||
|
# Dispose of the packet if asked
|
||||||
|
#
|
||||||
|
?if passed(@1)
|
||||||
|
@1
|
||||||
|
?endif
|
||||||
@ -6312,6 +6312,8 @@ sub get_configuration( $$$$ ) {
|
|||||||
$config{ACCOUNTING_TABLE} = 'filter';
|
$config{ACCOUNTING_TABLE} = 'filter';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
|
||||||
|
|
||||||
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
||||||
if ( $val =~ /^ipset/ ) {
|
if ( $val =~ /^ipset/ ) {
|
||||||
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
|
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
|
||||||
@ -6352,6 +6354,9 @@ sub get_configuration( $$$$ ) {
|
|||||||
|
|
||||||
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
||||||
|
|
||||||
|
$variables{SW_DBL_IPSET} = $set;
|
||||||
|
$variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||||
}
|
}
|
||||||
@ -6359,6 +6364,8 @@ sub get_configuration( $$$$ ) {
|
|||||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
add_variables( %variables );
|
||||||
|
|
||||||
default_yes_no 'REQUIRE_INTERFACE' , '';
|
default_yes_no 'REQUIRE_INTERFACE' , '';
|
||||||
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
|
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
|
||||||
default_yes_no 'COMPLETE' , '';
|
default_yes_no 'COMPLETE' , '';
|
||||||
|
|||||||
@ -9,44 +9,45 @@
|
|||||||
# Builtin Actions are:
|
# Builtin Actions are:
|
||||||
#
|
#
|
||||||
?if 0
|
?if 0
|
||||||
A_ACCEPT # Audits then accepts a connection request
|
A_ACCEPT # Audits then accepts a connection request
|
||||||
A_DROP # Audits then drops a connection request
|
A_DROP # Audits then drops a connection request
|
||||||
allowBcast # Silently Allow Broadcast/multicast
|
allowBcast # Silently Allow Broadcast/multicast
|
||||||
dropBcast # Silently Drop Broadcast/multicast
|
dropBcast # Silently Drop Broadcast/multicast
|
||||||
dropNotSyn # Silently Drop Non-syn TCP packets
|
dropNotSyn # Silently Drop Non-syn TCP packets
|
||||||
rejNotSyn # Silently Reject Non-syn TCP packets
|
rejNotSyn # Silently Reject Non-syn TCP packets
|
||||||
allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
allowinUPnP # Allow UPnP inbound (to firewall) traffic
|
||||||
forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces.
|
forwardUPnP # Allow traffic that upnpd has redirected from 'upnp' interfaces.
|
||||||
Limit # Limit the rate of connections from each individual IP address
|
Limit # Limit the rate of connections from each individual IP address
|
||||||
?endif
|
?endif
|
||||||
###############################################################################
|
###############################################################################
|
||||||
#ACTION
|
#ACTION
|
||||||
A_Drop # Audited Default Action for DROP policy
|
A_Drop # Audited Default Action for DROP policy
|
||||||
A_REJECT noinline,logjump # Audits then rejects a connection request
|
A_REJECT noinline,logjump # Audits then rejects a connection request
|
||||||
A_REJECT! inline # Audits then rejects a connection request
|
A_REJECT! inline # Audits then rejects a connection request
|
||||||
A_Reject # Audited Default action for REJECT policy
|
A_Reject # Audited Default action for REJECT policy
|
||||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||||
AutoBLL noinline # Helper for AutoBL
|
AutoBLL noinline # Helper for AutoBL
|
||||||
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
|
BLACKLIST logjump # Add sender to the dynamic blacklist
|
||||||
DNSAmp # Matches one-question recursive DNS queries
|
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
|
||||||
Drop # Default Action for DROP policy
|
DNSAmp # Matches one-question recursive DNS queries
|
||||||
|
Drop # Default Action for DROP policy
|
||||||
dropInvalid inline # Drops packets in the INVALID conntrack state
|
dropInvalid inline # Drops packets in the INVALID conntrack state
|
||||||
DropSmurfs noinline # Drop smurf packets
|
DropSmurfs noinline # Drop smurf packets
|
||||||
Established inline,\ # Handles packets in the ESTABLISHED state
|
Established inline,\ # Handles packets in the ESTABLISHED state
|
||||||
state=ESTABLISHED #
|
state=ESTABLISHED #
|
||||||
GlusterFS inline # Handles GlusterFS
|
GlusterFS inline # Handles GlusterFS
|
||||||
IfEvent noinline # Perform an action based on an event
|
IfEvent noinline # Perform an action based on an event
|
||||||
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
Invalid inline,audit,\ # Handles packets in the INVALID conntrack state
|
||||||
state=INVALID #
|
state=INVALID #
|
||||||
New inline,state=NEW # Handles packets in the NEW conntrack state
|
New inline,state=NEW # Handles packets in the NEW conntrack state
|
||||||
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
|
NotSyn inline,audit # Handles TCP packets which do not have SYN=1 and ACK=0
|
||||||
Reject # Default Action for REJECT policy
|
Reject # Default Action for REJECT policy
|
||||||
Related inline,\ # Handles packets in the RELATED conntrack state
|
Related inline,\ # Handles packets in the RELATED conntrack state
|
||||||
state=RELATED #
|
state=RELATED #
|
||||||
ResetEvent inline # Reset an Event
|
ResetEvent inline # Reset an Event
|
||||||
RST inline,audit # Handle packets with RST set
|
RST inline,audit # Handle packets with RST set
|
||||||
SetEvent inline # Initialize an event
|
SetEvent inline # Initialize an event
|
||||||
TCPFlags # Handle bad flag combinations.
|
TCPFlags # Handle bad flag combinations.
|
||||||
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
Untracked inline,\ # Handles packets in the UNTRACKED conntrack state
|
||||||
state=UNTRACKED #
|
state=UNTRACKED #
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user