Shorewall Blacklisting/Whitelisting SupportTomEastep2002-200620102011Thomas M. EastepPermission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License.This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.IntroductionShorewall supports two different types of blacklisting; rule-based,
static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf
controls the degree of blacklist filtering.The BLACKLIST option lists the Netfilter connection-tracking states
that blacklist rules are to be applied to (states are NEW, ESTABLISHED,
RELATED, INVALID, NOTRACK). The BLACKLIST option supersedes the
BLACKLISTNEWONLY option:BLACKLISTNEWONLY=No -- All incoming packets are checked against
the blacklist. New blacklist entries can be used to terminate existing
connections.BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
new connection requests. Blacklists may not be used to terminate
existing connections.For automatic blacklisting based on exceeding defined threshholds,
see Events.Rule-based BlacklistingBeginning with Shorewall 4.4.25, the preferred method of
blacklisting and whitelisting is to use the blrules file (shorewall-blrules (5)).
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
standard and custom macros as well as standard and custom actions. See
shorewall-blrules (5)
for details.Example:#ACTION SOURCE DEST PROTO DPORT
WHITELIST net:70.90.191.126 all
DROP net all udp 1023:1033,1434,5948,23773
DROP all net udp 1023:1033
DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
DROP net:221.192.199.48 all
DROP net:61.158.162.9 all
DROP net:81.21.54.100 all tcp 25
DROP net:84.108.168.139 all
DROP net:200.55.14.18 all
Beginning with Shorewall 4.4.26, the update
command supports a option that causes your legacy
blacklisting configuration to use the blrules file.Chain-based Dynamic BlacklistingBeginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in shorewall.conf.
Prior to that release, the feature is always enabled.Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
Note that to and from may
only be specified when running Shorewall 4.4.12 or
later.drop [to|from] <ip address list> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.reject [to|from]<ip address list> -
causes packets from the listed IP addresses to be rejected by the
firewall.allow [to|from] <ip address list> -
re-enables receipt of packets from hosts previously blacklisted by a
drop or reject
command.save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.Update: Beginning with
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
stop/start sequences and over
restart and reload.show dynamic - displays the dynamic blacklisting
configuration.logdrop [to|from] <ip address list> -
causes packets from the listed IP addresses to be dropped and logged
by the firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).logreject [to|from}<ip address list>
- causes packets from the listed IP addresses to be rejected and
logged by the firewall. Logging will occur at the level specified by
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
at the 'info' level if no BLACKLIST_LOGLEVEL was given).Ipset-based Dynamic BlacklistingBeginning with Shorewall 5.0.8, it is possible to use an ipset to
hold blacklisted addresses. The DYNAMIC_BLACKLIST option was expanded
to:DYNAMIC_BLACKLIST={Yes|No||ipset[-only][,option[,...]][:[setname][:log_level|:log_tag]]]}When or is
specified, the shorewall blacklist command is used to
blacklist a single host or a network. The allow command
is used to remove entries from the ipset. The name of the set
(setname) and the level
(log_level), if any, at which blacklisted
traffic is to be logged may also be specified. The default set name is
SW_DBL4 and the default log level is (no logging).
If is given, then chain-based dynamic
blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
specified.Possible options are:src-dstNormally, only packets whose source address matches an entry
in the ipset are dropped. If is included,
then packets whose destination address matches an entry in the ipset
are also dropped.The option was added in Shorewall
5.0.13 and requires that the conntrack utility be installed on the
firewall system. When an address is blacklisted using the
blacklist command, all connections originating
from that address are disconnected. if the
option was also specified, then all connections to that address are
also disconnected.=secondsAdded in Shorewall 5.0.13. Normally, Shorewall creates the
dynamic blacklisting ipset with timeout 0 which means that entries
are permanent. If you want entries in the set that are not accessed
for a period of time to be deleted from the set, you may specify
that period using this option. Note that the
blacklist command can override the ipset's
timeout setting.Once the dynamic blacklisting ipset has been created,
changing this option setting requires a complete restart of the
firewall; shorewall restart if RESTART=restart,
otherwise shorewall stop && shorewall
startWhen ipset-based dynamic blacklisting is enabled, the contents of
the blacklist will be preserved over
stop/reboot/start
sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
setname is included in the list of sets to be
saved in SAVE_IPSETS.BLACKLIST Policy and ActionBeginning with Shorewall 5.1.1, it is possible to specify BLACKLIST
in the POLICY column of shorewall-policies(5) when
ipset-based dynamic blacklisting is being used. When a packet is disposed
of via the BLACKLIST policy, the packet's sender is added to the dynamic
blacklist ipset and the packet is dropped.Also available beginning with Shorewall 5.1.1 is a BLACKLIST action
for use in the rules file, macros and filter table actions. Execute the
shorewall show action BLACKLIST command for
details.