Shorewall Blacklisting Support

Shorewall supports two different forms of blacklisting; static and dynamic.

Static Blacklisting

Shorewall static blacklisting support has the following configuration parameters:

• You specify whether you want packets from blacklisted hosts dropped or rejected using the BLACKLIST_DISPOSITION setting in /etc/shorewall/shorewall.conf
• You specify whether you want packets from blacklisted hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting in /etc/shorewall/shorewall.conf
• You list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist. Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service names in the blacklist file.
  
• You specify the interfaces whose incoming packets you want checked against the blacklist using the "blacklist" option in /etc/shorewall/interfaces.
• The black list is refreshed from /etc/shorewall/blacklist by the "shorewall refresh" command.

Dynamic Blacklisting

Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting doesn't use any configuration parameters but is rather controlled using /sbin/shorewall commands:

• drop <ip address list> - causes packets from the listed IP addresses to be silently dropped by the firewall.
• reject <ip address list> - causes packets from the listed IP addresses to be rejected by the firewall.
• allow <ip address list> - re-enables receipt of packets from hosts previously blacklisted by a drop or reject command.
• save - save the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall is restarted.
• show dynamic - displays the dynamic blacklisting configuration.

Example 1:

     shorewall drop 192.0.2.124 192.0.2.125

    Drops packets from hosts 192.0.2.124 and 192.0.2.125

Example 2:

     shorewall allow 192.0.2.125

    Reenables access from 192.0.2.125.

Last updated 7/27/2003 - Tom Eastep

Copyright © 2002, 2003 Thomas M. Eastep.