diff --git a/Samples/Universal/shorewall.conf b/Samples/Universal/shorewall.conf
index 437f76d28..44093dbee 100644
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -110,6 +110,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf
index 25baa6d0a..b42faf0bb 100644
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -121,6 +121,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf
index 101c5b4aa..d89ab47cc 100644
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -119,6 +119,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=Yes
CLEAR_TC=Yes
diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf
index 6d85ed6ad..545a32e2c 100644
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -122,6 +122,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=Yes
CLEAR_TC=Yes
diff --git a/Samples6/Universal/rules b/Samples6/Universal/rules
index 2967c1dcf..5ae7cfbad 100644
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -9,7 +9,6 @@
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
-#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
diff --git a/Samples6/Universal/shorewall6.conf b/Samples6/Universal/shorewall6.conf
index a56f46e06..45de42211 100644
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Samples6/one-interface/rules b/Samples6/one-interface/rules
index 0a391516b..e051f8e01 100644
--- a/Samples6/one-interface/rules
+++ b/Samples6/one-interface/rules
@@ -13,7 +13,6 @@
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
-#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf
index 23b4577e3..de7bb7be2 100644
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Samples6/three-interfaces/rules b/Samples6/three-interfaces/rules
index 9f8c2772f..a8a8d2979 100644
--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@@ -13,7 +13,6 @@
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
-#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf
index 3b038757f..3c0394aac 100644
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Samples6/two-interfaces/rules b/Samples6/two-interfaces/rules
index 0a13822da..2e95245eb 100644
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@@ -13,7 +13,6 @@
###########################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
-#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf
index f51ec661d..a2f1d5800 100644
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 75a8110db..ab538e3f7 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1795,8 +1795,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$bt =~ s/[-+!]$//;
- my %functions = (ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
- REDIRECT => sub () {
+ my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+
+ REDIRECT => sub () {
my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) {
$dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -1806,8 +1807,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
}
} ,
+
REJECT => sub { $action = 'reject'; } ,
+
CONTINUE => sub { $action = 'RETURN'; } ,
+
WHITELIST => sub {
unless ( $blacklist ) {
if ( $config{BLACKLISTSECTION} ) {
@@ -1817,8 +1821,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
}
}
- $action = 'RETURN'; } ,
+ $action = 'RETURN';
+ } ,
+
COUNT => sub { $action = ''; } ,
+
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
);
diff --git a/Shorewall/configfiles/blrules b/Shorewall/configfiles/blrules
new file mode 100644
index 000000000..da2576927
--- /dev/null
+++ b/Shorewall/configfiles/blrules
@@ -0,0 +1,12 @@
+#
+# Shorewall version 5 - Blacklist Rules File
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+######################################################################################################################################################################################
+#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
+# PORT PORT(S) DEST LIMIT GROUP
+
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 8ff338023..6d624693d 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -110,6 +110,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=No
CLEAR_TC=Yes
diff --git a/Shorewall/install.sh b/Shorewall/install.sh
index dc9db04a4..c87220ec4 100755
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -616,6 +616,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then
echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist"
fi
#
+# Install the blacklist rules file
+#
+run_install $OWNERSHIP -m 0644 configfiles/blrules ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/blrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blrules ]; then
+ run_install $OWNERSHIP -m 0600 configfiles/blrules${suffix} ${DESTDIR}/etc/shorewall/blrules
+ echo "Blacklist rules file installed as ${DESTDIR}/etc/shorewall/blrules"
+fi
+#
# Install the findgw file
#
run_install $OWNERSHIP -m 0644 configfiles/findgw ${DESTDIR}/usr/share/shorewall/configfiles
diff --git a/Shorewall6/configfiles/blrules b/Shorewall6/configfiles/blrules
new file mode 100644
index 000000000..cf3850aeb
--- /dev/null
+++ b/Shorewall6/configfiles/blrules
@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4 - Blacklist File
+#
+# For information about entries in this file, type "man shorewall6-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###########################################################################################################################################################################
+#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
+# PORT PORT(S) DEST LIMIT GROUP
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 3b7314959..0d4966fb4 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -105,6 +105,8 @@ AUTOMAKE=No
BLACKLISTNEWONLY=Yes
+BLACKLISTSECTION=No
+
CLAMPMSS=No
CLEAR_TC=No
diff --git a/Shorewall6/install.sh b/Shorewall6/install.sh
index 983a24cc7..394c83b62 100755
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -586,6 +586,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
fi
#
+# Install the blacklist rules file
+#
+run_install $OWNERSHIP -m 0644 blrules ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 blrules.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blrules ]; then
+ run_install $OWNERSHIP -m 0600 blrules${suffix} ${DESTDIR}/etc/shorewall6/blrules
+ echo "Blrules file installed as ${DESTDIR}/etc/shorewall6/blrules"
+fi
+#
# Install the Providers file
#
run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/
diff --git a/manpages/shorewall-blrules.xml b/manpages/shorewall-blrules.xml
index 151f1dd6a..aae27ac33 100644
--- a/manpages/shorewall-blrules.xml
+++ b/manpages/shorewall-blrules.xml
@@ -16,7 +16,7 @@
- /etc/shorewall6/blrules
+ /etc/shorewall/blrules
@@ -154,7 +154,7 @@
the rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of
- "shorewall6 show <chain>". To stop the comment from
+ "shorewall show <chain>". To stop the comment from
being attached to further rules, simply include COMMENT on a
line by itself.
@@ -167,7 +167,7 @@
The name of an action declared in
shorewall-actions(5) or
- in /usr/share/shorewall6/actions.std.
+ in /usr/share/shorewall/actions.std.
@@ -199,7 +199,7 @@
If the ACTION names an
action declared in shorewall-actions(5) or in
- /usr/share/shorewall6/actions.std then:
+ /usr/share/shorewall/actions.std then:
@@ -234,7 +234,7 @@
For the remaining columns, see shorewall6-rules (5).
+ url="shorewall-rules.html">shorewall-rules (5).
@@ -245,9 +245,9 @@
Example 1:
- Disallow SMTP from the local zone to the net zone.
+ Drop Teredo packets from the net.
- DROP loc net tcp 25
+ DROP net:[2001::/32] all
@@ -255,10 +255,10 @@
Example 2:
- Don't subject packets from 192.0.2.0/24 to the remaining rules
- in the file.
+ Don't subject packets from 2001:DB8::/64 to the remaining
+ rules in the file.
- WHITELIST net:192.0.2.0/24 all
+ WHITELIST net:[2001:DB8::/64] all
diff --git a/manpages6/shorewall6-blrules.xml b/manpages6/shorewall6-blrules.xml
index b7ba4583b..c61c3cd24 100644
--- a/manpages6/shorewall6-blrules.xml
+++ b/manpages6/shorewall6-blrules.xml
@@ -29,7 +29,7 @@
Rules in this file are applied depending on the setting of
BLACKLISTNEWONLY in shorewall6.conf(5). If
+ url="shorewall.conf.html">shorewall6.conf(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
connections in the NEW and INVALID states.