extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 00:53:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement whitelisting.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-18 08:30:01 -07:00
parent 8ec33cd6dd
commit e940f5018e
7 changed files with 70 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -247,9 +247,19 @@ sub setup_blacklist() {
$options = 'src' if $options eq '-';
my ( $to, $from ) = ( 0, 0 );
my ( $to, $from, $whitelist ) = ( 0, 0, 0 );
for ( split /,/, $options ) {
my @options = split_list $options, 'option';
for ( @options ) {
$whitelist++ if $_ eq 'whitelist';
}
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
my $tgt = $whitelist ? 'RETURN' : $target;
for ( @options ) {
if ( $_ =~ /^(?:from|src)$/ ) {
if ( $from++ ) {
warning_message "Duplicate 'src' ignored";
@ -262,9 +272,9 @@ sub setup_blacklist() {
$networks,
'',
'' ,
$target ,
$tgt ,
'' ,
$target ,
$tgt ,
'' );
} else {
warning_message '"src" entry ignored because there are no "blacklist in" zones';
@ -282,15 +292,15 @@ sub setup_blacklist() {
'',
$networks,
'' ,
$target ,
$tgt ,
'' ,
$target ,
$tgt ,
'' );
} else {
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
}
}
} else {
} elsif ( $_ ne 'whitelist' ) {
fatal_error "Invalid blacklist option($_)";
}
}

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in Shorewall 4.4.20 Beta 2
4) Implemented NFLOG accounting action.
5) Implement 'whitelist' option.
Changes in Shorewall 4.4.20 Beta 1
1) Apply Togan's patch for installation flexibility.

7
Shorewall/releasenotes.txt
View File

@ -51,7 +51,12 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
3) An NFLOG 'ACTION' has been added to the accounting file to allow
sending matching packets (or the leading part of them) to backend
accounting daemons via a netlink socket.
accounting daemons via a netlink socket.
4) A 'whitelist' option has been added to the blacklist file. When
'whitelist' is specified, packets/connections matching the entry
are not matched against the entries which follow. No logging of
whitelisted packets/connections is performed.
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S

6
docs/Documentation_Index.xml
View File

@ -124,7 +124,7 @@
<row>
<entry><ulink
url="blacklisting_support.htm">Blacklisting</ulink></entry>
url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>
<entry><ulink
url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@ -265,8 +265,8 @@
<entry><ulink url="two-interface.htm#DNAT">Port
Forwarding</ulink></entry>
<entry><ulink url="whitelisting_under_shorewall.htm">White List
Creation</ulink></entry>
<entry><ulink url="blacklisting_support.htm#whitelisting">White
List Creation</ulink></entry>
</row>
<row>

46
docs/blacklisting_support.xml
View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title>Shorewall Blacklisting Support</title>
<title>Shorewall Blacklisting/Whitelisting Support</title>
<authorgroup>
<author>
@ -22,6 +22,8 @@
<year>2010</year>
<year>2011</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -66,10 +68,10 @@
</orderedlist>
<important>
<para><emphasis role="bold">Only the source address is checked against
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
connecting to you — they do not stop you or your users from connecting
to blacklisted hosts .</para>
<para><emphasis role="bold">By default, only the source address is
checked against the blacklists</emphasis>. Blacklists only stop
blacklisted hosts from connecting to you — they do not stop you or your
users from connecting to blacklisted hosts .</para>
<variablelist>
<varlistentry>
@ -106,36 +108,31 @@
<listitem>
<para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
url="manpages/shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename>.</ulink></para>
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
</listitem>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink
url="manpages/shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
</listitem>
<listitem>
<para>You list the IP addresses/subnets that you wish to blacklist in
<ulink
url="manpages/shorewall-blacklist.html"><filename>/etc/shorewall/blacklist</filename></ulink>.
You may also specify PROTOCOL and Port numbers/Service names in the
blacklist file.</para>
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5). You may also specify PROTOCOL and Port numbers/Service names in
the blacklist file.</para>
</listitem>
<listitem>
<para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote>
option in <ulink
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
</listitem>
<listitem>
<para>The black list is refreshed from
<filename>/etc/shorewall/blacklist</filename> by the <quote><ulink
url="starting_and_stopping_shorewall.htm"><command>shorewall
refresh</command></ulink></quote> command.</para>
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
(<ulink url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
in Shorewall 4.4.12 and later).</para>
</listitem>
</itemizedlist>
@ -176,6 +173,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
</section>
<section id="whitelisting">
<title>Static Whitelisting</title>
<para>Beginning with Shorewall 4.4.20, you can create
<firstterm>whitelist</firstterm> entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against the
entries in the blacklist file that follow. Whitelist entries are created
using the <emphasis role="bold">whitelist</emphasis> option (OPTIONS
column). See <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5).</para>
</section>
<section id="Dynamic">
<title>Dynamic Blacklisting</title>

8
manpages/shorewall-blacklist.xml
View File

@ -78,7 +78,7 @@
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src}[,...]}</term>
{-|{dst|src|whitelist}[,...]}</term>
<listitem>
<para>If specified, indicates whether traffic
@ -122,6 +122,12 @@
</listitem>
</orderedlist>
</note>
<para>In Shorewall 4.4.20, the <emphasis
role="bold">whitelist</emphasis> option was added. When <emphasis
role="bold">whitelist</emphasis> is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.</para>
</listitem>
</varlistentry>
</variablelist>

8
manpages6/shorewall6-blacklist.xml
View File

@ -78,7 +78,7 @@
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) -
{-|{dst|src}[,...]}</term>
{-|{dst|src|whitelist}[,...]}</term>
<listitem>
<para>If specified, indicates whether traffic
@ -122,6 +122,12 @@
</listitem>
</orderedlist>
</note>
<para>In Shorewall 4.4.20, the <emphasis
role="bold">whitelist</emphasis> option was added. When <emphasis
role="bold">whitelist</emphasis> is specified, packets/connections
that match the entry are not matched against the remaining entries
in the file.</para>
</listitem>
</varlistentry>
</variablelist>