2005-05-09 22:00:18 +02:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-07-07 22:22:09 +02:00
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2005-05-09 22:00:18 +02:00
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
<title>Shorewall and Ipsets</title>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
2005-05-09 22:00:18 +02:00
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2005</year>
|
|
|
|
|
2008-12-07 19:13:16 +01:00
|
|
|
<year>2008</year>
|
|
|
|
|
2010-07-18 17:46:38 +02:00
|
|
|
<year>2010</year>
|
|
|
|
|
2015-04-26 06:14:55 +02:00
|
|
|
<year>2015</year>
|
|
|
|
|
2005-05-09 22:00:18 +02:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
2010-07-18 17:46:38 +02:00
|
|
|
<caution>
|
|
|
|
<para><emphasis role="bold">This article applies to Shorewall 4.4 and
|
|
|
|
later. If you are running a version of Shorewall earlier than Shorewall
|
2010-09-12 17:01:54 +02:00
|
|
|
4.4.0 then please see the documentation appropriate for your
|
2010-07-18 17:46:38 +02:00
|
|
|
version.</emphasis></para>
|
|
|
|
</caution>
|
|
|
|
|
2007-06-28 22:20:16 +02:00
|
|
|
<section id="Ipsets">
|
2005-05-09 22:00:18 +02:00
|
|
|
<title>What are Ipsets?</title>
|
|
|
|
|
2013-03-08 17:18:00 +01:00
|
|
|
<para>Ipsets are an extension to Netfilter/iptables that are available in
|
|
|
|
<ulink url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>
|
|
|
|
if they are not available in your current distribution. Instructions for
|
|
|
|
installing xtables-addons may be found in the <ulink
|
2009-06-02 15:32:42 +02:00
|
|
|
url="Dynamic.html">Dynamic Zones article</ulink>.</para>
|
2005-05-09 22:00:18 +02:00
|
|
|
|
|
|
|
<para>Ipset allows you to create one or more named sets of addresses then
|
|
|
|
use those sets to define Netfilter/iptables rules. Possible uses of ipsets
|
|
|
|
include:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
2008-08-15 07:03:24 +02:00
|
|
|
<para>Blacklists. Ipsets provide an efficient way to represent large
|
2005-05-09 22:00:18 +02:00
|
|
|
sets of addresses and you can maintain the lists without the need to
|
2005-08-11 21:33:07 +02:00
|
|
|
restart or even refresh your Shorewall configuration.</para>
|
2005-05-09 22:00:18 +02:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Zone definition. Using the /etc/shorewall/hosts file, you can
|
2009-06-02 15:32:42 +02:00
|
|
|
<ulink url="Dynamic.html">define a zone based on the (dynamic)
|
|
|
|
contents of an ipset</ulink>. Again, you can then add or delete
|
|
|
|
addresses to the ipset without restarting Shorewall.</para>
|
2005-05-09 22:00:18 +02:00
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>See the ipsets site (URL above) for additional information about
|
|
|
|
ipsets.</para>
|
|
|
|
</section>
|
|
|
|
|
2007-06-28 22:20:16 +02:00
|
|
|
<section id="Support">
|
2005-05-09 22:00:18 +02:00
|
|
|
<title>Shorewall Support for Ipsets</title>
|
|
|
|
|
|
|
|
<para>Support for ipsets was introduced in Shorewall version 2.3.0. In
|
|
|
|
most places where a host or network address may be used, you may also use
|
|
|
|
the name of an ipset prefaced by "+".</para>
|
|
|
|
|
|
|
|
<para>Example: "+Mirrors"</para>
|
|
|
|
|
2009-02-28 04:45:43 +01:00
|
|
|
<para>When using Shorewall, the names of ipsets are restricted as
|
2008-09-09 03:02:57 +02:00
|
|
|
follows:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>They must begin with a letter (after the '+').</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2010-09-21 15:59:55 +02:00
|
|
|
<para>They must be composed of letters, digits, dashes ("-") or
|
|
|
|
underscores ("_").</para>
|
2008-09-09 03:02:57 +02:00
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
2005-05-09 22:00:18 +02:00
|
|
|
<para>To generate a negative match, prefix the "+" with "!" as in
|
|
|
|
"!+Mirrors".</para>
|
|
|
|
|
|
|
|
<para>Example 1: Blacklist all hosts in an ipset named "blacklist"</para>
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/blacklist</filename><programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
|
|
|
+blacklist</programlisting></para>
|
|
|
|
|
|
|
|
<para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
2009-06-02 15:32:42 +02:00
|
|
|
ACCEPT net:+sshok $FW tcp 22</programlisting></para>
|
2005-05-09 22:00:18 +02:00
|
|
|
|
2010-07-21 01:03:12 +02:00
|
|
|
<para>The name of the ipset can be optionally followed by a
|
|
|
|
comma-separated list of flags enclosed in square brackets ([...]). Each
|
|
|
|
flag is either <emphasis role="bold">src</emphasis> or <emphasis
|
|
|
|
role="bold">dst</emphasis> and specifies whether it is the SOURCE address
|
|
|
|
or port number or the DESTINATION address or port number that should be
|
|
|
|
matched. The number of flags must be appropriate for the type of ipset. If
|
|
|
|
no flags are given, Shorewall assumes that the set takes a single flag and
|
|
|
|
will select the flag based on the context. For example, in the blacklist
|
|
|
|
file and when the ipset appears in the SOURCE column of the rules file,
|
|
|
|
<emphasis role="bold">src</emphasis> is assumed. If the ipset appears in
|
|
|
|
the DEST column of the rules file, <emphasis role="bold">dst</emphasis> is
|
|
|
|
assumed. Note that by using <emphasis role="bold">[dst]</emphasis> in the
|
|
|
|
blacklist file, you can coerce the rule into matching the destination IP
|
|
|
|
address rather than the source.</para>
|
|
|
|
|
2010-09-21 15:59:55 +02:00
|
|
|
<para>Beginning with Shorewall 4.4.14, multiple source or destination
|
|
|
|
matches may be specified by placing multiple set names in '+[...]' (e.g.,
|
2014-06-13 13:25:54 +02:00
|
|
|
+[myset,myotherset]). When so enclosed, the set names need not be prefixed
|
2010-09-21 15:59:55 +02:00
|
|
|
with a plus sign.</para>
|
|
|
|
|
2010-07-18 17:46:38 +02:00
|
|
|
<para>Shorewall can save/restore your ipset contents with certain
|
|
|
|
restrictions:</para>
|
2009-02-28 04:45:43 +01:00
|
|
|
|
2010-07-18 17:46:38 +02:00
|
|
|
<orderedlist>
|
2009-02-28 04:45:43 +01:00
|
|
|
<listitem>
|
2010-07-18 17:46:38 +02:00
|
|
|
<para>You must set SAVE_IPSETS=Yes in <ulink
|
|
|
|
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
2009-02-28 04:45:43 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2010-07-18 17:46:38 +02:00
|
|
|
<para>You cannot use an ipset in <ulink
|
|
|
|
url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
|
|
|
|
(5).</para>
|
2009-02-28 04:45:43 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2010-07-18 17:46:38 +02:00
|
|
|
<para>The <command>restore</command> command cannot restore ipset
|
|
|
|
contents saved by the <command>save</command> command unless the
|
|
|
|
firewall is first stopped.</para>
|
2009-02-28 04:45:43 +01:00
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
2014-09-29 02:10:45 +02:00
|
|
|
|
|
|
|
<para>Beginning with Shorewall 4.6.4, you can save selective ipsets by
|
|
|
|
setting SAVE_IPSETS to a comma-separated list of ipset names. You can also
|
|
|
|
restrict the group of sets saved to ipv4 sets by setting
|
|
|
|
SAVE_IPSETS=ipv4.</para>
|
2014-10-07 18:52:15 +02:00
|
|
|
|
|
|
|
<para>With Shorewall 4.6.4, the SAVE_IPSETS option may specify a list of
|
|
|
|
ipsets to be saved. When such a list is specified, only those ipsets
|
|
|
|
together with the ipsets supporting dynamic zones are saved. Shorewall6
|
|
|
|
support for the SAVE_IPSETS option was also added in 4.6.4. When
|
|
|
|
SAVE_IPSETS=Yes in <ulink
|
|
|
|
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, only ipv6
|
|
|
|
ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in <ulink
|
|
|
|
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
|
|
|
|
ipv4 ipsets are saved. Both features require ipset version 5 or
|
|
|
|
later.</para>
|
2015-04-26 06:14:55 +02:00
|
|
|
|
|
|
|
<para>Although Shorewall can save the definition of your ipsets and
|
|
|
|
restore them when Shorewall starts, in most cases you must use the ipset
|
|
|
|
utility to initially create and load your ipsets. The exception is that
|
|
|
|
Shorewall will automatically create an empty iphash ipset to back each
|
|
|
|
dynamic zone.</para>
|
2005-05-09 22:00:18 +02:00
|
|
|
</section>
|
2011-06-20 00:00:48 +02:00
|
|
|
|
|
|
|
<section>
|
|
|
|
<title>Shorewall6 and Shorewall-init Support for Ipsets</title>
|
|
|
|
|
|
|
|
<para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para>
|
|
|
|
|
2014-09-29 02:10:45 +02:00
|
|
|
<para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink
|
|
|
|
url="manpages6/shorewall6.conf.html">shorewall6-conf(5)</ulink>. When set
|
2014-10-07 22:37:56 +02:00
|
|
|
to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets
|
|
|
|
by setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
|
|
|
|
|
|
|
|
<para>Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in <ulink
|
|
|
|
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> won't work
|
|
|
|
correctly because it saves both IPv4 and IPv6 ipsets. To work around this
|
|
|
|
issue, Shorewall-init is capable restoring ipset contents during 'start'
|
|
|
|
and saving them during 'stop'. To direct Shorewall-init to save/restore
|
|
|
|
ipset contents, set the SAVE_IPSETS option in
|
2014-09-29 02:10:45 +02:00
|
|
|
/etc/sysconfig/shorewall-init (/etc/default/shorewall-init on Debian and
|
|
|
|
derivatives). The value of the option is a file name where the contents of
|
|
|
|
the ipsets will be save to and restored from. Shorewall-init will create
|
2014-10-07 22:37:56 +02:00
|
|
|
any necessary directories during the first 'save' operation.</para>
|
|
|
|
|
|
|
|
<para>If you configure Shorewall-init to save/restore ipsets, be sure to
|
|
|
|
set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
|
|
|
|
|
|
|
|
<para>If you configure SAVE_IPSETS in <ulink
|
|
|
|
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and/or <ulink
|
2014-10-07 20:41:57 +02:00
|
|
|
url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> then do
|
|
|
|
not set SAVE_IPSETS in shorewall-init.</para>
|
2011-06-20 00:00:48 +02:00
|
|
|
</section>
|
2008-11-10 17:51:03 +01:00
|
|
|
</article>
|