<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall6-blacklist</refentrytitle> <manvolnum>5</manvolnum> </refmeta> <refnamediv> <refname>blacklist</refname> <refpurpose>shorewall6 Blacklist file</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>/etc/shorewall6/blacklist</command> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>The blacklist file is used to perform static blacklisting by source address (IP or MAC), or by application. The use of this file is deprecated in favor of <ulink url="shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning with Shorewall 4.5.7, the blacklist file is no longer installed. Existing blacklist files can be converted to a corresponding blrules file using the <command>shorewall6 update -b</command> command.</para> <para>The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).</para> <variablelist> <varlistentry> <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis role="bold">-</emphasis>|<emphasis role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis role="bold">+</emphasis><emphasis>ipset</emphasis>}</term> <listitem> <para>Host address, network address, MAC address, IP address range (if your kernel and ip6tables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match). Exclusion (<ulink url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is supported.</para> <para>MAC addresses must be prefixed with "~" and use "-" as a separator.</para> <para>Example: ~00-A0-C9-15-39-78</para> <para>A dash ("-") in this column means that any source address will match. This is useful if you want to blacklist a particular application using entries in the PROTOCOL and PORTS columns.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term> <listitem> <para>Optional - if specified, must be a protocol number or a protocol name from protocols(5).</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">PORTS</emphasis> (port) - {<emphasis role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term> <listitem> <para>May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of destination port numbers or service names from services(5).</para> </listitem> </varlistentry> <varlistentry> <term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term> <listitem> <para>Optional - added in 4.4.12. If specified, indicates whether traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis role="bold">src</emphasis>) or traffic <emphasis>to</emphasis> ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be blacklisted. The default is <emphasis role="bold">src</emphasis>. If the ADDRESS/SUBNET column is empty, then this column has no effect on the generated rule.</para> <note> <para>In Shorewall 4.4.12, the keywords from and to were used in place of src and dst respectively. Blacklisting was still restricted to traffic <emphasis>arriving</emphasis> on an interface that has the 'blacklist' option set. So to block traffic from your local network to an internet host, you had to specify <option>blacklist</option> on your internal interface in <ulink url="shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5).</para> </note> <note> <para>Beginning with Shorewall 4.4.13, entries are applied based on the <emphasis role="bold">blacklist</emphasis> setting in <ulink url="shorewall-zones.html">shorewall6-zones</ulink>(5):</para> <orderedlist> <listitem> <para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic from this zone is passed against the entries in this file that have the <emphasis role="bold">src</emphasis> option (specified or defaulted).</para> </listitem> <listitem> <para>'blacklist' in the OPTIONS or OUT_OPTIONS column. Traffic to this zone is passed against the entries in this file that have the <emphasis role="bold">dst</emphasis> option.</para> </listitem> </orderedlist> </note> <para>In Shorewall 4.4.20, the <emphasis role="bold">whitelist</emphasis> option was added. When <emphasis role="bold">whitelist</emphasis> is specified, packets/connections that match the entry are not matched against the remaining entries in the file.</para> <para>The <emphasis role="bold">audit</emphasis> option was also added in 4.4.20 and causes packets matching the entry to be audited. The <emphasis role="bold">audit</emphasis> option may not be specified in whitelist entries and require AUDIT_TARGET support in the kernel and ip6tables.</para> </listitem> </varlistentry> </variablelist> <para>When a packet arrives on an interface that has the <emphasis role="bold">blacklist</emphasis> option specified in <ulink url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5), its source IP address and MAC address is checked against this file and disposed of according to the <emphasis role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5). If <emphasis role="bold">PROTOCOL</emphasis> or <emphasis role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis> are supplied, only packets matching the protocol (and one of the ports if <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para> </refsect1> <refsect1> <title>Example</title> <variablelist> <varlistentry> <term>Example 1:</term> <listitem> <para>To block DNS queries from address fe80::2a0:ccff:fedb:31c4:</para> <programlisting> #ADDRESS/SUBNET PROTOCOL PORT fe80::2a0:ccff:fedb:31c4/ udp 53</programlisting> </listitem> </varlistentry> <varlistentry> <term>Example 2:</term> <listitem> <para>To block some of the nuisance applications:</para> <programlisting> #ADDRESS/SUBNET PROTOCOL PORT - udp 1024:1033,1434 - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall6/blacklist</para> </refsect1> <refsect1> <title>See ALSO</title> <para><ulink url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para> <para><ulink url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para> <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para> </refsect1> </refentry>