shorewall6-blacklist 5 blacklist shorewall6 Blacklist file /etc/shorewall6/blacklist Description The blacklist file is used to perform static blacklisting. You can blacklist by source address (IP or MAC), or by application. The columns in the file are as follows. ADDRESS/SUBNET - {-|~mac-address|ip-address|address-range|+ipset} Host address, network address, MAC address, IP address range (if your kernel and ip6tables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match). MAC addresses must be prefixed with "~" and use "-" as a separator. Example: ~00-A0-C9-15-39-78 A dash ("-") in this column means that any source address will match. This is useful if you want to blacklist a particular application using entries in the PROTOCOL and PORTS columns. PROTOCOL (Optional) - {-|protocol-number|protocol-name} If specified, must be a protocol number or a protocol name from protocols(5). PORTS (Optional) - {-|port-name-or-number[,port-name-or-number]...} May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of destination port numbers or service names from services(5). OPTIONS (Optional - Added in 4.4.12) - {-|{to|from}[,...]} If specified, indicates whether traffic or the ADDRESS/SUBNET should be blacklisted. The default is from. If the ADDRESS/SUBNET column is empty, then this column has no effect on the generated rule. Blacklisting is still restricted to traffic arriving on an interface that has the 'blacklist' option set. So to block traffic from your local network to an internet host, you must specify on your internal interface in shorewall6-interfaces (5). Beginning with Shorewall 4.4.13, entries specifying to are applied to traffic based on the blacklist setting in shorewall6-interfaces(5). Input blacklisting (default if no value given). Traffic entering this interface are passed against the entries in shorewall6-blacklist(5) that have the from option (specified or defaulted). Traffic originating on the firewall and leaving by this interface is passed against the entries in shorewall6-blacklist(5) that have the to option. Output blacklisting. Traffic entering on this interface is passed against the entries in shorewall6-blacklist(5) that have the to option. When a packet arrives on an interface that has the blacklist option specified in shorewall6-interfaces(5), its source IP address and MAC address is checked against this file and disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in shorewall6.conf(5). If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching the protocol (and one of the ports if PORTS supplied) are blocked. Example Example 1: To block DNS queries from address fe80::2a0:ccff:fedb:31c4: #ADDRESS/SUBNET PROTOCOL PORT fe80::2a0:ccff:fedb:31c4/ udp 53 Example 2: To block some of the nuisance applications: #ADDRESS/SUBNET PROTOCOL PORT - udp 1024:1033,1434 - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898 FILES /etc/shorewall6/blacklist See ALSO http://shorewall.net/blacklisting_support.htm shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)