From a47cfb4f63ce1bd2b99fcdfe8b00dd59c191f5a0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 17 Feb 2016 15:48:10 -0800 Subject: [PATCH] Update the blacklisting article for 5.0 Signed-off-by: Tom Eastep --- docs/blacklisting_support.xml | 290 +++++++--------------------------- 1 file changed, 60 insertions(+), 230 deletions(-) diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index 9b0d1acf8..d611197be 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -85,14 +85,13 @@ url="manpages/shorewall-blrules.html">shorewall-blrules (5)). There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions, standard and custom macros as well as standard and custom actions. See - shorewall-rules (5) for - details. + shorewall-blrules (5) + for details. Example: - #ACTION SOURCE DEST PROTO DEST -# PORTS(S) -SECTION BLACKLIST + #ACTION SOURCE DEST PROTO DPORT + WHITELIST net:70.90.191.126 all DROP net all udp 1023:1033,1434,5948,23773 DROP all net udp 1023:1033 @@ -107,243 +106,74 @@ DROP net:200.55.14.18 all Beginning with Shorewall 4.4.26, the update command supports a option that causes your legacy blacklisting configuration to use the blrules file. - - - If you prefer to keep your blacklisting rules in your rules file - (shorewall-rules - (5)), you can place them in the BLACKLIST section of that file rather - than in blrules. -
- Legacy Blacklisting + Dynamic Blacklisting - Prior to 4.4.25, two forms of blacklisting were supported; static - and dynamic. The dynamic variety is still appropriate for - on-the-fly blacklisting; the static form is - deprecated. + Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by + setting DYNAMIC_BLACKLIST=Yes in shorewall.conf. + Prior to that release, the feature is always enabled. - - By default, only the source address is - checked against the blacklists. Blacklists only stop - blacklisted hosts from connecting to you — they do not stop you or your - users from connecting to blacklisted hosts . + Once enabled, dynamic blacklisting doesn't use any configuration + parameters but is rather controlled using /sbin/shorewall[-lite] commands. + Note that to and from may + only be specified when running Shorewall 4.4.12 or + later. - - - UPDATE + + + drop [to|from] <ip address list> - + causes packets from the listed IP addresses to be silently dropped by + the firewall. + - - Beginning with Shorewall 4.4.12, you can also blacklist by - destination address. See shorewall-blacklist - (5) and shorewall (8) - for details. - - - - + + reject [to|from]<ip address list> - + causes packets from the listed IP addresses to be rejected by the + firewall. + - - Dynamic Shorewall blacklisting is not - appropriate for blacklisting 1,000s of different addresses. Static - Blacklisting can handle large blacklists but only if you use - ipsets. Without ipsets, the blacklists will take forever to - load, and will have a very negative effect on firewall - performance. - + + allow [to|from] <ip address list> - + re-enables receipt of packets from hosts previously blacklisted by a + drop or reject + command. + -
- Static Blacklisting + + save - save the dynamic blacklisting configuration so that it + will be automatically restored the next time that the firewall is + restarted. - Shorewall static blacklisting support has the following - configuration parameters: + Update: Beginning with + Shorewall 4.4.10, the dynamic blacklist is automatically retained over + stop/start sequences and over + restart and reload. + - - - You specify whether you want packets from blacklisted hosts - dropped or rejected using the BLACKLIST_DISPOSITION setting in - shorewall.conf(5). - + + show dynamic - displays the dynamic blacklisting + configuration. + - - You specify whether you want packets from blacklisted hosts - logged and at what syslog level using the BLACKLIST_LOGLEVEL setting - in shorewall.conf(5). - + + logdrop [to|from] <ip address list> - + causes packets from the listed IP addresses to be dropped and logged + by the firewall. Logging will occur at the level specified by the + BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at + the 'info' level if no BLACKLIST_LOGLEVEL was given). + - - You list the IP addresses/subnets that you wish to blacklist - in shorewall-blacklist - (5). You may also specify PROTOCOL and Port numbers/Service names in - the blacklist file. - - - - You specify the interfaces whose incoming packets you want - checked against the blacklist using the blacklist - option in shorewall-interfaces(5) - (shorewall-zones(5) in - Shorewall 4.4.12 and later). - - - - Prior to Shorewall 4.4.20, only source-address static blacklisting - was supported. - - Users with a large static black list may want to set the - DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version - 2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new - connections before loading the blacklist rules. While this may allow - connections from blacklisted hosts to slip by during construction of the - blacklist, it can substantially reduce the time that all new connections - are disabled during "shorewall [re]start". - - Beginning with Shorewall 2.4.0, you can use ipsets to define your static blacklist. Here's - an example: - - #ADDRESS/SUBNET PROTOCOL PORT -+Blacklistports[dst] -+Blacklistnets[src,dst] -+Blacklist[src,dst] -#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - - In this example, there is a portmap ipset - Blacklistports that blacklists all traffic with - destination ports included in the ipset. There are also - Blacklistnets (type nethash) - and Blacklist (type iphash) - ipsets that allow blacklisting networks and individual IP addresses. - Note that [src,dst] is specified so that individual entries in the sets - can be bound to other portmap ipsets to allow blacklisting - (source address, destination - port) combinations. For example: - - ipset -N SMTP portmap --from 1 --to 31 -ipset -A SMTP 25 -ipset -A Blacklist 206.124.146.177 -ipset -B Blacklist 206.124.146.177 -b SMTP - - This will blacklist SMTP traffic from host 206.124.146.177. -
- -
- Static Whitelisting - - Beginning with Shorewall 4.4.20, you can create - whitelist entries in the blacklist file. - Connections/packets matching a whitelist entry are not matched against - the entries in the blacklist file that follow. Whitelist entries are - created using the whitelist option - (OPTIONS column). See shorewall-blacklist - (5). -
- -
- Dynamic Blacklisting - - Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by - setting DYNAMIC_BLACKLIST=Yes in shorewall.conf. - Prior to that release, the feature is always enabled. - - Once enabled, dynamic blacklisting doesn't use any configuration - parameters but is rather controlled using /sbin/shorewall[-lite] - commands. Note that to and from may - only be specified when running Shorewall 4.4.12 or - later. - - - - drop [to|from] <ip address list> - - causes packets from the listed IP addresses to be silently dropped - by the firewall. - - - - reject [to|from]<ip address list> - - causes packets from the listed IP addresses to be rejected by the - firewall. - - - - allow [to|from] <ip address list> - - re-enables receipt of packets from hosts previously blacklisted by a - drop or reject - command. - - - - save - save the dynamic blacklisting configuration so that it - will be automatically restored the next time that the firewall is - restarted. - - Update: Beginning with - Shorewall 4.4.10, the dynamic blacklist is automatically retained - over stop/start sequences and over - restart. - - - - show dynamic - displays the dynamic blacklisting - configuration. - - - - logdrop [to|from] <ip address list> - - causes packets from the listed IP addresses to be dropped and - logged by the firewall. Logging will occur at the level specified by - the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will - be at the 'info' level if no BLACKLIST_LOGLEVEL was given). - - - - logreject [to|from}<ip address - list> - causes packets from the listed IP addresses to - be rejected and logged by the firewall. Logging will occur at the - level specified by the BLACKLIST_LOGLEVEL setting at the last - [re]start (logging will be at the 'info' level if no - BLACKLIST_LOGLEVEL was given). - - - - Dynamic blacklisting is not dependent on the - blacklist option in - /etc/shorewall/interfaces. - - - Ignore packets from a pair of systems - - shorewall[-lite] drop 192.0.2.124 192.0.2.125 - - Drops packets from hosts 192.0.2.124 and 192.0.2.125 - - - - Re-enable packets from a system - - shorewall[-lite] allow 192.0.2.125 - - Re-enables traffic from 192.0.2.125. - - - - Displaying the Dynamic Blacklist - - shorewall show dynamic - - Displays the 'dynamic' chain which contains rules for the - dynamic blacklist. The source column contains - the set of blacklisted addresses. - -
+ + logreject [to|from}<ip address list> + - causes packets from the listed IP addresses to be rejected and + logged by the firewall. Logging will occur at the level specified by + the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be + at the 'info' level if no BLACKLIST_LOGLEVEL was given). + +