<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall6-blacklist</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>blacklist</refname>

    <refpurpose>shorewall6 Blacklist file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>/etc/shorewall6/blacklist</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>The blacklist file is used to perform static blacklisting by source
    address (IP or MAC), or by application. The use of this file is deprecated
    in favor of <ulink
    url="shorewall6-blrules.html">shorewall6-blrules</ulink>(5), and beginning
    with Shorewall 4.5.7, the blacklist file is no longer installed. Existing
    blacklist files can be converted to a corresponding blrules file using the
    <command>shorewall6 update -b</command> command.</para>

    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>

        <listitem>
          <para>Host address, network address, MAC address, IP address range
          (if your kernel and ip6tables contain iprange match support) or
          ipset name prefaced by "+" (if your kernel supports ipset match).
          Exclusion (<ulink
          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
          supported.</para>

          <para>MAC addresses must be prefixed with "~" and use "-" as a
          separator.</para>

          <para>Example: ~00-A0-C9-15-39-78</para>

          <para>A dash ("-") in this column means that any source address will
          match. This is useful if you want to blacklist a particular
          application using entries in the PROTOCOL and PORTS columns.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
        role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>

        <listitem>
          <para>Optional - if specified, must be a protocol number or a
          protocol name from protocols(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">PORTS</emphasis> (port) - {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>

        <listitem>
          <para>May only be specified if the protocol is TCP (6), UDP (17),
          DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
          destination port numbers or service names from services(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>

        <listitem>
          <para>Optional - added in 4.4.12. If specified, indicates whether
          traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
          role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
          ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
          blacklisted. The default is <emphasis role="bold">src</emphasis>. If
          the ADDRESS/SUBNET column is empty, then this column has no effect
          on the generated rule.</para>

          <note>
            <para>In Shorewall 4.4.12, the keywords from and to were used in
            place of src and dst respectively. Blacklisting was still
            restricted to traffic <emphasis>arriving</emphasis> on an
            interface that has the 'blacklist' option set. So to block traffic
            from your local network to an internet host, you had to specify
            <option>blacklist</option> on your internal interface in <ulink
            url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
            (5).</para>
          </note>

          <note>
            <para>Beginning with Shorewall 4.4.13, entries are applied based
            on the <emphasis role="bold">blacklist</emphasis> setting in
            <ulink
            url="shorewall-zones.html">shorewall6-zones</ulink>(5):</para>

            <orderedlist>
              <listitem>
                <para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
                from this zone is passed against the entries in this file that
                have the <emphasis role="bold">src</emphasis> option
                (specified or defaulted).</para>
              </listitem>

              <listitem>
                <para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
                Traffic to this zone is passed against the entries in this
                file that have the <emphasis role="bold">dst</emphasis>
                option.</para>
              </listitem>
            </orderedlist>
          </note>

          <para>In Shorewall 4.4.20, the <emphasis
          role="bold">whitelist</emphasis> option was added. When <emphasis
          role="bold">whitelist</emphasis> is specified, packets/connections
          that match the entry are not matched against the remaining entries
          in the file.</para>

          <para>The <emphasis role="bold">audit</emphasis> option was also
          added in 4.4.20 and causes packets matching the entry to be audited.
          The <emphasis role="bold">audit</emphasis> option may not be
          specified in whitelist entries and require AUDIT_TARGET support in
          the kernel and ip6tables.</para>
        </listitem>
      </varlistentry>
    </variablelist>

    <para>When a packet arrives on an interface that has the <emphasis
    role="bold">blacklist</emphasis> option specified in <ulink
    url="shorewall-interfaces.html">shorewall6-interfaces</ulink>(5), its
    source IP address and MAC address is checked against this file and
    disposed of according to the <emphasis
    role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
    url="shorewall.conf.html">shorewall6.conf</ulink>(5). If <emphasis
    role="bold">PROTOCOL</emphasis> or <emphasis
    role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
    are supplied, only packets matching the protocol (and one of the ports if
    <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <variablelist>
      <varlistentry>
        <term>Example 1:</term>

        <listitem>
          <para>To block DNS queries from address
          fe80::2a0:ccff:fedb:31c4:</para>

          <programlisting>        #ADDRESS/SUBNET            PROTOCOL        PORT
        fe80::2a0:ccff:fedb:31c4/  udp             53</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>Example 2:</term>

        <listitem>
          <para>To block some of the nuisance applications:</para>

          <programlisting>        #ADDRESS/SUBNET         PROTOCOL        PORT
        -                       udp             1024:1033,1434
        -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall6/blacklist</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para><ulink
    url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>

    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-rtrules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall6-zones(5)</para>
  </refsect1>
</refentry>