From e45b96ca20d4c7f34343d43431c3ff00f22c5728 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 26 Jan 2017 13:17:11 -0800 Subject: [PATCH] Update blacklisting article: - ipset-based blacklisting - BLACKLIST policy and action Signed-off-by: Tom Eastep --- docs/blacklisting_support.xml | 101 +++++++++++++++++++++++++++++++++- 1 file changed, 100 insertions(+), 1 deletion(-) diff --git a/docs/blacklisting_support.xml b/docs/blacklisting_support.xml index 5d50ee244..59c786d82 100644 --- a/docs/blacklisting_support.xml +++ b/docs/blacklisting_support.xml @@ -109,7 +109,7 @@ DROP net:200.55.14.18 all
- Dynamic Blacklisting + Chain-based Dynamic Blacklisting Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by setting DYNAMIC_BLACKLIST=Yes in shorewall.conf. @@ -176,4 +176,103 @@ DROP net:200.55.14.18 all
+ +
+ Ipset-based Dynamic Blacklisting + + Beginning with Shorewall 5.0.8, it is possible to use an ipset to + hold blacklisted addresses. The DYNAMIC_BLACKLIST option was expanded + to: + + DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:log_tag]]]} + + When or is + specified, the shorewall blacklist command is used to + blacklist a single host or a network. The allow command + is used to remove entries from the ipset. The name of the set + (setname) and the level + (log_level), if any, at which blacklisted + traffic is to be logged may also be specified. The default set name is + SW_DBL4 and the default log level is (no logging). + If is given, then chain-based dynamic + blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been + specified. + + Possible options are: + + + + src-dst + + + Normally, only packets whose source address matches an entry + in the ipset are dropped. If is included, + then packets whose destination address matches an entry in the ipset + are also dropped. + + + + + + + + The option was added in Shorewall + 5.0.13 and requires that the conntrack utility be installed on the + firewall system. When an address is blacklisted using the + blacklist command, all connections originating + from that address are disconnected. if the + option was also specified, then all connections to that address are + also disconnected. + + + + + =seconds + + + Added in Shorewall 5.0.13. Normally, Shorewall creates the + dynamic blacklisting ipset with timeout 0 which means that entries + are permanent. If you want entries in the set that are not accessed + for a period of time to be deleted from the set, you may specify + that period using this option. Note that the + blacklist command can override the ipset's + timeout setting. + + + Once the dynamic blacklisting ipset has been created, + changing this option setting requires a complete restart of the + firewall; shorewall restart if RESTART=restart, + otherwise shorewall stop && shorewall + start + + + + + + When ipset-based dynamic blacklisting is enabled, the contents of + the blacklist will be preserved over + stop/reboot/start + sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if + setname is included in the list of sets to be + saved in SAVE_IPSETS. +
+ +
+ BLACKLIST Policy and Action + + Beginning with Shorewall 5.1.1, it is possible to specify BLACKLIST + in the POLICY column of shorewall-policies(5) when + ipset-based dynamic blacklisting is being used. When a packet is disposed + of via the BLACKLIST policy, the packet's sender is added to the dynamic + blacklist ipset and the packet is dropped. + + Also available beginning with Shorewall 5.1.1 is a BLACKLIST action + for use in the rules file, macros and filter table actions. Execute the + shorewall show action BLACKLIST command for + details. +