Restore template

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4892 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-11-16 00:17:11 +00:00
parent b8f1af1881
commit d3ca53bdd4

View File

@ -1,128 +1,62 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-blacklist</refentrytitle> <refentrytitle>shorewall-</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
<refnamediv> <refnamediv>
<refname>blacklist</refname> <refname>file</refname>
<refpurpose>Shorewall Blacklist file</refpurpose> <refpurpose>Shorewall file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/blacklist</command> <command>/etc/shorewall/</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para>The blacklist file is used to perform static blacklisting. You can
blacklist by source address (IP or MAC), or by application. </para>
<para>The columns in the file are as follows.</para> <para>The columns in the file are as follows.</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ADDRESS/SUBNET</emphasis></term> <term>COLUMN 1</term>
<listitem> <listitem>
<para>Host address, network address, MAC address, IP address range <para></para>
(if your kernel and iptables contain iprange match support) or ipset
name prefaced by "+" (i your kernel supports ipset match).</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
<para>A dash ("-") in this column means that any source address will
match. This is useful if you want to blacklist a particular
application.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTOCOL</emphasis> (Optional)</term>
<listitem>
<para>If specified, must be a protocol number or a protocol name
from protocols(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORTS</emphasis> (Optional)</term>
<listitem>
<para>May only be specified if the protocol is TCP (6) or UDP (17).
A comma-separated list of destination port numbers or service names
from services(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>When a packet arrives on an interface that has the <emphasis
role="bold">blacklist</emphasis> option specified in
shorewall-interfaces(5), its source IP address and MAC address is checked
against this file and disposed of according to the <emphasis
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in shorewall.conf(5).
If <emphasis role="bold">PROTOCOL</emphasis> or <emphasis
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
are supplied, only packets matching the protocol (and one of the ports if
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>Example</title> <title>Example</title>
<variablelist> <para></para>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>To block DNS queries from address 192.0.2.126:</para>
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
192.0.2.126 udp 53</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>To block some of the nuisance applicataion:</para>
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/blacklist</para> <para>/etc/shorewall/</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
<title>See ALSO</title> <title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>