extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-29 22:18:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rework blacklisting

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-06 15:29:20 -07:00
parent c6f58ba924
commit f3255cd83a
8 changed files with 242 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -48,14 +48,10 @@ our @EXPORT = qw( process_tos
our @EXPORT_OK = qw( process_rule process_rule1 initialize ); our @EXPORT_OK = qw( process_rule process_rule1 initialize );
our $VERSION = '4.4_13'; our $VERSION = '4.4_13';
#
# Set to one if we find a SECTION
#
our $macro_nest_level; our $macro_nest_level;
our $current_param; our $current_param;
our @param_stack; our @param_stack;
our $family; our $family;
# #
# When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these # When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
# #
@ -217,16 +213,19 @@ sub add_rule_pair( $$$$ ) {
sub setup_blacklist() { sub setup_blacklist() {
my $hosts = find_hosts_by_option 'blacklist'; my $hosts = find_hosts_by_option1 'blacklist', BL_IN;
my $hosts1 = find_hosts_by_option1 'blacklist', BL_OUT;
my $chainref; my $chainref;
my $chainref1;
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
# #
# We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary # We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
# for 'refresh' to work properly. # for 'refresh' to work properly.
# #
if ( @$hosts ) { if ( @$hosts || @$hosts1 ) {
$chainref = dont_delete new_standard_chain 'blacklst'; $chainref = dont_delete new_standard_chain 'blacklst' if @$hosts;
$chainref1 = dont_delete new_standard_chain 'blackout' if @$hosts1;
if ( defined $level && $level ne '' ) { if ( defined $level && $level ne '' ) {
my $logchainref = new_standard_chain 'blacklog'; my $logchainref = new_standard_chain 'blacklog';
@ -250,7 +249,7 @@ sub setup_blacklist() {
while ( read_a_line ) { while ( read_a_line ) {
if ( $first_entry ) { if ( $first_entry ) {
unless ( @$hosts ) { unless ( @$hosts || @$hosts1 ) {
warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces); warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
close_file; close_file;
last BLACKLIST; last BLACKLIST;
@ -265,6 +264,8 @@ sub setup_blacklist() {
$options = 'from' if $options eq '-'; $options = 'from' if $options eq '-';
warning_message "'$options' entry ignored because there are no matching interfaces", next unless @$hosts || $options eq 'to';
for ( split /,/, $options ) { for ( split /,/, $options ) {
fatal_error "Invalid OPTION ($_)" unless /^(from|to)$/; fatal_error "Invalid OPTION ($_)" unless /^(from|to)$/;
$direction = $_; $direction = $_;
@ -274,19 +275,31 @@ sub setup_blacklist() {
$chainref , $chainref ,
NO_RESTRICT , NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) , do_proto( $protocol , $ports, '' ) ,
$direction eq 'from' ? $networks : '', $networks,
$direction eq 'to' ? $networks : '', '',
'' , '' ,
$target , $target ,
'' , '' ,
$target , $target ,
'' ); '' ) if $chainref && $options eq 'from';
expand_rule(
$chainref1 ,
NO_RESTRICT ,
do_proto( $protocol , $ports, '' ) ,
$networks,
'',
'' ,
$target ,
'' ,
$target ,
'' ) if $chainref1 && $options eq 'to';
progress_message " \"$currentline\" added to blacklist"; progress_message " \"$currentline\" added to blacklist";
} }
warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts; warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts;
} elsif ( @$hosts ) { } elsif ( @$hosts || @$hosts1 ) {
warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size); warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
} }
@ -307,8 +320,27 @@ sub setup_blacklist() {
set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1; set_interface_option $interface, 'use_forward_chain', 1;
progress_message " Blacklisting enabled on ${interface}:${network}"; progress_message " Type 1 blacklisting enabled on ${interface}:${network}";
} }
for my $hostref ( @$hosts1 ) {
my $interface = $hostref->[0];
my $ipsec = $hostref->[1];
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2];
my $source = match_source_net $network;
my $target = source_exclusion( $hostref->[3], $chainref1 );
for my $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, "${source}${state}${policy}";
}
set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1;
progress_message " Type 2 blacklisting enabled on ${interface}:${network}";
}
} }
} }
@ -1849,6 +1881,7 @@ sub generate_matrix() {
our %input_jump_added = (); our %input_jump_added = ();
our %output_jump_added = (); our %output_jump_added = ();
our %forward_jump_added = (); our %forward_jump_added = ();
my %needs_bl_jump = ();
progress_message2 'Generating Rule Matrix...'; progress_message2 'Generating Rule Matrix...';
# #
@ -1977,7 +2010,8 @@ sub generate_matrix() {
my $ipsec_in_match = match_ipsec_in $zone , $hostref; my $ipsec_in_match = match_ipsec_in $zone , $hostref;
my $ipsec_out_match = match_ipsec_out $zone , $hostref; my $ipsec_out_match = match_ipsec_out $zone , $hostref;
my $exclusions = $hostref->{exclusions}; my $exclusions = $hostref->{exclusions};
my $blacklist = $hostref->{options}{blacklist} & BL_OUT;
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
my $dest = match_dest_net $net; my $dest = match_dest_net $net;
@ -1989,10 +2023,11 @@ sub generate_matrix() {
my $interfacematch = ''; my $interfacematch = '';
my $use_output = 0; my $use_output = 0;
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) { if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( ( $blacklist || @{$interfacechainref->{rules}} ) && ! $chain1ref ) ) {
$outputref = $interfacechainref; $outputref = $interfacechainref;
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
$use_output = 1; $use_output = 1;
$needs_bl_jump{output_chain $interface} = 1 if $blacklist;
unless ( lc $net eq IPv6_LINKLOCAL ) { unless ( lc $net eq IPv6_LINKLOCAL ) {
for my $vzone ( vserver_zones ) { for my $vzone ( vserver_zones ) {
@ -2002,6 +2037,7 @@ sub generate_matrix() {
} else { } else {
$outputref = $filter_table->{OUTPUT}; $outputref = $filter_table->{OUTPUT};
$interfacematch = match_dest_dev $interface; $interfacematch = match_dest_dev $interface;
$needs_bl_jump{output_chain $interface} = 1 if $blacklist;
} }
add_jump $outputref , $nextchain, 0, join( '', $interfacematch, $dest, $ipsec_out_match ); add_jump $outputref , $nextchain, 0, join( '', $interfacematch, $dest, $ipsec_out_match );
@ -2255,6 +2291,7 @@ sub generate_matrix() {
add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain; add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
} }
add_jump( $filter_table->{$_}, $filter_table->{blackout} , 0 , '' , 0 , 0 ) for keys %needs_bl_jump;
add_interface_jumps @interfaces unless $interface_jumps_added; add_interface_jumps @interfaces unless $interface_jumps_added;
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] , my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,

59
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -41,6 +41,8 @@ our @EXPORT = qw( NOTHING
IP IP
BPORT BPORT
IPSEC IPSEC
BL_IN
BL_OUT
determine_zones determine_zones
zone_report zone_report
@ -78,6 +80,7 @@ our @EXPORT = qw( NOTHING
compile_updown compile_updown
validate_hosts_file validate_hosts_file
find_hosts_by_option find_hosts_by_option
find_hosts_by_option1
all_ipsets all_ipsets
have_ipsec have_ipsec
); );
@ -94,7 +97,12 @@ use constant { NOTHING => 'NOTHING',
IPSECPROTO => 'ah|esp|ipcomp', IPSECPROTO => 'ah|esp|ipcomp',
IPSECMODE => 'tunnel|transport' IPSECMODE => 'tunnel|transport'
}; };
#
# blacklist option values
#
use constant {
BL_IN => 1 ,
BL_OUT => 2 };
# #
# Zone Table. # Zone Table.
# #
@ -231,7 +239,7 @@ sub initialize( $ ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
%validinterfaceoptions = (arp_filter => BINARY_IF_OPTION, %validinterfaceoptions = (arp_filter => BINARY_IF_OPTION,
arp_ignore => ENUM_IF_OPTION, arp_ignore => ENUM_IF_OPTION,
blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, blacklist => ENUM_IF_OPTION,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
detectnets => OBSOLETE_IF_OPTION, detectnets => OBSOLETE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
@ -264,7 +272,7 @@ sub initialize( $ ) {
sourceonly => 1, sourceonly => 1,
); );
} else { } else {
%validinterfaceoptions = ( blacklist => SIMPLE_IF_OPTION + IF_OPTION_HOST, %validinterfaceoptions = ( blacklist => ENUM_IF_OPTION,
bridge => SIMPLE_IF_OPTION, bridge => SIMPLE_IF_OPTION,
dhcp => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION,
maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@ -645,6 +653,8 @@ sub add_group_to_zone($$$$$)
$zoneref->{interfaces}{$interface} = 1; $zoneref->{interfaces}{$interface} = 1;
$options->{blacklist} ||= 0;
my @newnetworks; my @newnetworks;
my @exclusions = (); my @exclusions = ();
my $new = \@newnetworks; my $new = \@newnetworks;
@ -909,6 +919,7 @@ sub process_interface( $$ ) {
my %options; my %options;
$options{port} = 1 if $port; $options{port} = 1 if $port;
$options{blacklist} = 0;
my $hostoptionsref = {}; my $hostoptionsref = {};
@ -920,7 +931,7 @@ sub process_interface( $$ ) {
if ( $options ne '-' ) { if ( $options ne '-' ) {
my %hostoptions = ( dynamic => 0 ); my %hostoptions = ( blacklist => 0, dynamic => 0 );
for my $option (split_list1 $options, 'option' ) { for my $option (split_list1 $options, 'option' ) {
next if $option eq '-'; next if $option eq '-';
@ -952,8 +963,8 @@ sub process_interface( $$ ) {
$options{$option} = $value; $options{$option} = $value;
$hostoptions{$option} = $value if $hostopt; $hostoptions{$option} = $value if $hostopt;
} elsif ( $type == ENUM_IF_OPTION ) { } elsif ( $type == ENUM_IF_OPTION ) {
fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
if ( $option eq 'arp_ignore' ) { if ( $option eq 'arp_ignore' ) {
fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
if ( defined $value ) { if ( defined $value ) {
if ( $value =~ /^[1-3,8]$/ ) { if ( $value =~ /^[1-3,8]$/ ) {
$options{arp_ignore} = $value; $options{arp_ignore} = $value;
@ -963,6 +974,11 @@ sub process_interface( $$ ) {
} else { } else {
$options{arp_ignore} = 1; $options{arp_ignore} = 1;
} }
} elsif ( $option eq 'blacklist' ) {
$value = BL_IN unless ( defined $value && $value != '' );
fatal_error "Invalid 'blacklist' value ( $value )" unless $value =~ /^[12]$/;
$options{blacklist} = $value eq 1 ? BL_IN | BL_OUT : BL_OUT;
$hostoptions{blacklist} = $options{blacklist} & BL_IN;
} else { } else {
assert( 0 ); assert( 0 );
} }
@ -1126,7 +1142,7 @@ sub validate_interfaces_file( $ ) {
number => $nextinum , number => $nextinum ,
root => $interface , root => $interface ,
broadcasts => undef , broadcasts => undef ,
options => {} , options => { blacklist => 0 } ,
zone => '', zone => '',
physical => 'lo', physical => 'lo',
}; };
@ -1665,11 +1681,11 @@ sub process_host( ) {
} }
} }
my $optionsref = { dynamic => 0 }; my $optionsref = { blacklist => 0, dynamic => 0 };
if ( $options ne '-' ) { if ( $options ne '-' ) {
my @options = split_list $options, 'option'; my @options = split_list $options, 'option';
my %options = ( dynamic => 0 ); my %options = ( blacklist => 0, dynamic => 0 );
for my $option ( @options ) { for my $option ( @options ) {
if ( $option eq 'ipsec' ) { if ( $option eq 'ipsec' ) {
@ -1783,6 +1799,33 @@ sub find_hosts_by_option( $ ) {
\@hosts; \@hosts;
} }
sub find_hosts_by_option1( $$ ) {
my ($option, $bit ) = @_;
my @hosts;
for my $zone ( grep $zones{$_}{type} != FIREWALL , @zones ) {
while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
for my $host ( @{$arrayref} ) {
if ( $host->{options}{$option} & $bit ) {
for my $net ( @{$host->{hosts}} ) {
push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}];
}
}
}
}
}
}
for my $interface ( @interfaces ) {
if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} & $bit ) {
push @hosts, [ $interface, 'none', ALLIP , [] ];
}
}
\@hosts;
}
sub all_ipsets() { sub all_ipsets() {
sort keys %ipsets; sort keys %ipsets;
} }

2
Shorewall/changelog.txt
View File

@ -12,6 +12,8 @@ Changes in Shorewall 4.4.13
6) Add secmark config file. 6) Add secmark config file.
7) Split in and out blacklisting.
Changes in Shorewall 4.4.12 Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program. 1) Fix IPv6 shorecap program.

15
Shorewall/releasenotes.txt
View File

@ -175,6 +175,21 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
As part of this change, the tcrules file now accepts chain As part of this change, the tcrules file now accepts chain
designators 'I' and 'CI' for marking packets in the input chain. designators 'I' and 'CI' for marking packets in the input chain.
4) The 'blacklist' interface option may now have one of 2 values:
1 - Inbound blacklisting
2 - Outbond blacklisting
Inbound blacklisting is targeted for use on Internet-facing
interfaces. Incoming packets are passed against the blacklist
entries with the 'from' option (either explicitly or defaulted).
Traffic originating on the firewall is passed against the blacklist
entries with the 'to' option.
Outbound blacklisting is targeted for use on internal
interfaces. Packets arriving on these interfaces is passed against
the blacklist entries with the 'to' option.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S
---------------------------------------------------------------------------- ----------------------------------------------------------------------------

48
manpages/shorewall-blacklist.xml
View File

@ -84,30 +84,50 @@
then this column has no effect on the generated rule.</para> then this column has no effect on the generated rule.</para>
<note> <note>
<para>Blacklisting is still restricted to traffic <para>In Shorewall 4.4.12, blacklisting is still restricted to
<emphasis>arriving</emphasis> on an interface that has the traffic <emphasis>arriving</emphasis> on an interface that has the
'blacklist' option set. So to block traffic from your local 'blacklist' option set. So to block traffic from your local
network to an internet host, you must specify network to an internet host, you must specify
<option>blacklist</option> on your internal interface in <ulink <option>blacklist</option> on your internal interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink> url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para> (5).</para>
</note> </note>
<note>
<para>Beginning with Shorewall 4.4.13, entries specifying
<emphasis role="bold">to</emphasis> are applied based on the
<emphasis role="bold">blacklist</emphasis> setting in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5):</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given). Traffic
entering this interface are passed against the entries in
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the firewall
and leaving by this interface is passed against the entries in
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
<para>Output blacklisting. Traffic entering on this interface
is passed against the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<para>When a packet arrives on an interface that has the <emphasis <para></para>
role="bold">blacklist</emphasis> option specified in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5), its
source IP address and MAC address is checked against this file and
disposed of according to the <emphasis
role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). If <emphasis
role="bold">PROTOCOL</emphasis> or <emphasis
role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
are supplied, only packets matching the protocol (and one of the ports if
<emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

30
manpages/shorewall-interfaces.xml
View File

@ -223,13 +223,39 @@ loc eth2 -</programlisting>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis
role="bold">blacklist[=<replaceable>value</replaceable>]</emphasis></term>
<listitem> <listitem>
<para>Check packets arriving on this interface against the <para>Check packets arriving on this interface against the
<ulink <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5) url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
file.</para> file. The value may be specified when running Shorewall 4.4.13
or later and can have a value in the range 1-2</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given).
Traffic entering this interface are passed against the
entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the
firewall and leaving by this interface is passed against
the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
<para>Output blacklisting. Traffic entering on this
interface is passed against the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>

32
manpages6/shorewall6-blacklist.xml
View File

@ -94,6 +94,38 @@
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink> url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
(5).</para> (5).</para>
</note> </note>
<note>
<para>Beginning with Shorewall 4.4.13, entries specifying
<emphasis role="bold">to</emphasis> are applied to traffic based
on the <emphasis role="bold">blacklist</emphasis> setting in
<ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given). Traffic
entering this interface are passed against the entries in
<ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the firewall
and leaving by this interface is passed against the entries in
<ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
<para>Output blacklisting. Traffic entering on this interface
is passed against the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
</note>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>

33
manpages6/shorewall6-interfaces.xml
View File

@ -115,13 +115,36 @@ loc eth2 -</programlisting>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis
role="bold">blacklist[=<replaceable>value</replaceable>]</emphasis></term>
<listitem> <listitem>
<para>Check packets arriving on this interface against the <para>The value may be specified when running Shorewall 4.4.13
<ulink or later and can have a value in the range 1-2</para>
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para> <orderedlist>
<listitem>
<para>Input blacklisting (default if no value given).
Traffic entering this interface are passed against the
entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the
firewall and leaving by this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
<para>Output blacklisting. Traffic entering on this
interface is passed against the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
</listitem> </listitem>
</varlistentry> </varlistentry>