diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml
index 9b0d1acf8..d611197be 100644
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -85,14 +85,13 @@
url="manpages/shorewall-blrules.html">shorewall-blrules (5)).
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
standard and custom macros as well as standard and custom actions. See
- shorewall-rules (5) for
- details.
+ shorewall-blrules (5)
+ for details.
Example:
- #ACTION SOURCE DEST PROTO DEST
-# PORTS(S)
-SECTION BLACKLIST
+ #ACTION SOURCE DEST PROTO DPORT
+
WHITELIST net:70.90.191.126 all
DROP net all udp 1023:1033,1434,5948,23773
DROP all net udp 1023:1033
@@ -107,243 +106,74 @@ DROP net:200.55.14.18 all
Beginning with Shorewall 4.4.26, the update
command supports a option that causes your legacy
blacklisting configuration to use the blrules file.
-
-
- If you prefer to keep your blacklisting rules in your rules file
- (shorewall-rules
- (5)), you can place them in the BLACKLIST section of that file rather
- than in blrules.
-
- Legacy Blacklisting
+ Dynamic Blacklisting
- Prior to 4.4.25, two forms of blacklisting were supported; static
- and dynamic. The dynamic variety is still appropriate for
- on-the-fly blacklisting; the static form is
- deprecated.
+ Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
+ setting DYNAMIC_BLACKLIST=Yes in shorewall.conf.
+ Prior to that release, the feature is always enabled.
-
- By default, only the source address is
- checked against the blacklists. Blacklists only stop
- blacklisted hosts from connecting to you — they do not stop you or your
- users from connecting to blacklisted hosts .
+ Once enabled, dynamic blacklisting doesn't use any configuration
+ parameters but is rather controlled using /sbin/shorewall[-lite] commands.
+ Note that to and from may
+ only be specified when running Shorewall 4.4.12 or
+ later.
-
-
- UPDATE
+
+
+ drop [to|from] <ip address list> -
+ causes packets from the listed IP addresses to be silently dropped by
+ the firewall.
+
-
- Beginning with Shorewall 4.4.12, you can also blacklist by
- destination address. See shorewall-blacklist
- (5) and shorewall (8)
- for details.
-
-
-
-
+
+ reject [to|from]<ip address list> -
+ causes packets from the listed IP addresses to be rejected by the
+ firewall.
+
-
- Dynamic Shorewall blacklisting is not
- appropriate for blacklisting 1,000s of different addresses. Static
- Blacklisting can handle large blacklists but only if you use
- ipsets. Without ipsets, the blacklists will take forever to
- load, and will have a very negative effect on firewall
- performance.
-
+
+ allow [to|from] <ip address list> -
+ re-enables receipt of packets from hosts previously blacklisted by a
+ drop or reject
+ command.
+
-
- Static Blacklisting
+
+ save - save the dynamic blacklisting configuration so that it
+ will be automatically restored the next time that the firewall is
+ restarted.
- Shorewall static blacklisting support has the following
- configuration parameters:
+ Update: Beginning with
+ Shorewall 4.4.10, the dynamic blacklist is automatically retained over
+ stop/start sequences and over
+ restart and reload.
+
-
-
- You specify whether you want packets from blacklisted hosts
- dropped or rejected using the BLACKLIST_DISPOSITION setting in
- shorewall.conf(5).
-
+
+ show dynamic - displays the dynamic blacklisting
+ configuration.
+
-
- You specify whether you want packets from blacklisted hosts
- logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
- in shorewall.conf(5).
-
+
+ logdrop [to|from] <ip address list> -
+ causes packets from the listed IP addresses to be dropped and logged
+ by the firewall. Logging will occur at the level specified by the
+ BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
+ the 'info' level if no BLACKLIST_LOGLEVEL was given).
+
-
- You list the IP addresses/subnets that you wish to blacklist
- in shorewall-blacklist
- (5). You may also specify PROTOCOL and Port numbers/Service names in
- the blacklist file.
-
-
-
- You specify the interfaces whose incoming packets you want
- checked against the blacklist using the blacklist
- option in shorewall-interfaces(5)
- (shorewall-zones(5) in
- Shorewall 4.4.12 and later).
-
-
-
- Prior to Shorewall 4.4.20, only source-address static blacklisting
- was supported.
-
- Users with a large static black list may want to set the
- DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
- 2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
- connections before loading the blacklist rules. While this may allow
- connections from blacklisted hosts to slip by during construction of the
- blacklist, it can substantially reduce the time that all new connections
- are disabled during "shorewall [re]start".
-
- Beginning with Shorewall 2.4.0, you can use ipsets to define your static blacklist. Here's
- an example:
-
- #ADDRESS/SUBNET PROTOCOL PORT
-+Blacklistports[dst]
-+Blacklistnets[src,dst]
-+Blacklist[src,dst]
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
- In this example, there is a portmap ipset
- Blacklistports that blacklists all traffic with
- destination ports included in the ipset. There are also
- Blacklistnets (type nethash)
- and Blacklist (type iphash)
- ipsets that allow blacklisting networks and individual IP addresses.
- Note that [src,dst] is specified so that individual entries in the sets
- can be bound to other portmap ipsets to allow blacklisting
- (source address, destination
- port) combinations. For example:
-
- ipset -N SMTP portmap --from 1 --to 31
-ipset -A SMTP 25
-ipset -A Blacklist 206.124.146.177
-ipset -B Blacklist 206.124.146.177 -b SMTP
-
- This will blacklist SMTP traffic from host 206.124.146.177.
-
-
-
- Static Whitelisting
-
- Beginning with Shorewall 4.4.20, you can create
- whitelist entries in the blacklist file.
- Connections/packets matching a whitelist entry are not matched against
- the entries in the blacklist file that follow. Whitelist entries are
- created using the whitelist option
- (OPTIONS column). See shorewall-blacklist
- (5).
-
-
-
- Dynamic Blacklisting
-
- Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
- setting DYNAMIC_BLACKLIST=Yes in shorewall.conf.
- Prior to that release, the feature is always enabled.
-
- Once enabled, dynamic blacklisting doesn't use any configuration
- parameters but is rather controlled using /sbin/shorewall[-lite]
- commands. Note that to and from may
- only be specified when running Shorewall 4.4.12 or
- later.
-
-
-
- drop [to|from] <ip address list> -
- causes packets from the listed IP addresses to be silently dropped
- by the firewall.
-
-
-
- reject [to|from]<ip address list> -
- causes packets from the listed IP addresses to be rejected by the
- firewall.
-
-
-
- allow [to|from] <ip address list> -
- re-enables receipt of packets from hosts previously blacklisted by a
- drop or reject
- command.
-
-
-
- save - save the dynamic blacklisting configuration so that it
- will be automatically restored the next time that the firewall is
- restarted.
-
- Update: Beginning with
- Shorewall 4.4.10, the dynamic blacklist is automatically retained
- over stop/start sequences and over
- restart.
-
-
-
- show dynamic - displays the dynamic blacklisting
- configuration.
-
-
-
- logdrop [to|from] <ip address list>
- - causes packets from the listed IP addresses to be dropped and
- logged by the firewall. Logging will occur at the level specified by
- the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
- be at the 'info' level if no BLACKLIST_LOGLEVEL was given).
-
-
-
- logreject [to|from}<ip address
- list> - causes packets from the listed IP addresses to
- be rejected and logged by the firewall. Logging will occur at the
- level specified by the BLACKLIST_LOGLEVEL setting at the last
- [re]start (logging will be at the 'info' level if no
- BLACKLIST_LOGLEVEL was given).
-
-
-
- Dynamic blacklisting is not dependent on the
- blacklist option in
- /etc/shorewall/interfaces.
-
-
- Ignore packets from a pair of systems
-
- shorewall[-lite] drop 192.0.2.124 192.0.2.125
-
- Drops packets from hosts 192.0.2.124 and 192.0.2.125
-
-
-
- Re-enable packets from a system
-
- shorewall[-lite] allow 192.0.2.125
-
- Re-enables traffic from 192.0.2.125.
-
-
-
- Displaying the Dynamic Blacklist
-
- shorewall show dynamic
-
- Displays the 'dynamic' chain which contains rules for the
- dynamic blacklist. The source column contains
- the set of blacklisted addresses.
-
-
+
+ logreject [to|from}<ip address list>
+ - causes packets from the listed IP addresses to be rejected and
+ logged by the firewall. Logging will occur at the level specified by
+ the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
+ at the 'info' level if no BLACKLIST_LOGLEVEL was given).
+
+