forked from extern/shorewall_code
Implement the BLACKLISTSECTION option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
755ed9859b
commit
1091c24348
@ -569,6 +569,7 @@ sub initialize( $ ) {
|
||||
COMPLETE => undef,
|
||||
EXPORTMODULES => undef,
|
||||
LEGACY_FASTSTART => undef,
|
||||
BLACKLISTSECTION => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -3693,6 +3694,7 @@ sub get_configuration( $$$ ) {
|
||||
default_yes_no 'COMPLETE' , '';
|
||||
default_yes_no 'EXPORTMODULES' , '';
|
||||
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
|
||||
default_yes_no 'BLACKLISTSECTION' , 'Yes';
|
||||
|
||||
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
|
||||
|
||||
|
@ -1741,7 +1741,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
#
|
||||
# We can now dispense with the postfix character
|
||||
#
|
||||
fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
|
||||
if ( $action =~ s/[\+\-!]$// && $blacklist ) {
|
||||
if ( $config{BLACKLISTSECTION} ) {
|
||||
fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section";
|
||||
} else {
|
||||
fatal_error "The +, - and ! modifiers are not allowed in the blrules file";
|
||||
}
|
||||
}
|
||||
#
|
||||
# Handle actions
|
||||
#
|
||||
@ -1789,7 +1795,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
|
||||
$bt =~ s/[-+!]$//;
|
||||
|
||||
my %functions = ( REDIRECT => sub () {
|
||||
my %functions = (ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
|
||||
REDIRECT => sub () {
|
||||
my $z = $actiontype & NATONLY ? '' : firewall_zone;
|
||||
if ( $dest eq '-' ) {
|
||||
$dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
|
||||
@ -1801,8 +1808,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
} ,
|
||||
REJECT => sub { $action = 'reject'; } ,
|
||||
CONTINUE => sub { $action = 'RETURN'; } ,
|
||||
WHITELIST => sub { fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section" unless $blacklist;
|
||||
$action = 'RETURN'; } ,
|
||||
WHITELIST => sub {
|
||||
unless ( $blacklist ) {
|
||||
if ( $config{BLACKLISTSECTION} ) {
|
||||
fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section";
|
||||
} else {
|
||||
fatal_error "'WHITELIST' may only be used in the blrules file";
|
||||
}
|
||||
}
|
||||
|
||||
$action = 'RETURN'; } ,
|
||||
COUNT => sub { $action = ''; } ,
|
||||
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
|
||||
);
|
||||
@ -2276,7 +2291,9 @@ sub process_section ($) {
|
||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||
$sections{$sect} = 1;
|
||||
|
||||
if ( $sect eq 'ALL' ) {
|
||||
if ( $sect eq 'BLACKLIST' ) {
|
||||
fatal_error "A BLACKLIST section is not allowed when BLACKLISTSECTION=No" unless $config{BLACKLISTSECTION};
|
||||
} elsif ( $sect eq 'ALL' ) {
|
||||
$sections{BLACKLIST} = 1;
|
||||
} elsif ( $sect eq 'ESTABLISHED' ) {
|
||||
$sections{'BLACKLIST','ALL'} = ( 1, 1);
|
||||
@ -2433,6 +2450,20 @@ sub process_rule ( ) {
|
||||
#
|
||||
sub process_rules() {
|
||||
|
||||
unless ( $config{BLACKLISTSECTION} ) {
|
||||
my $fn = open_file 'blrules';
|
||||
|
||||
if ( $fn ) {
|
||||
first_entry "$doing $fn...";
|
||||
|
||||
$section = 'BLACKLIST';
|
||||
|
||||
process_rule while read_a_line;
|
||||
|
||||
$section = '';
|
||||
}
|
||||
}
|
||||
|
||||
my $fn = open_file 'rules';
|
||||
|
||||
if ( $fn ) {
|
||||
|
291
manpages/shorewall-blrules.xml
Normal file
291
manpages/shorewall-blrules.xml
Normal file
@ -0,0 +1,291 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall-blrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>blrules</refname>
|
||||
|
||||
<refpurpose>shorewall Blacklist file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall6/blrules</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file is used to perform blacklisting and whitelisting when
|
||||
BLACKLISTSECTION=No in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)l.</para>
|
||||
|
||||
<para>Rules in this file are applied depending on the setting of
|
||||
BLACKLISTNEWONLY in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). If
|
||||
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
|
||||
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
|
||||
connections in the NEW and INVALID states.</para>
|
||||
|
||||
<para>The format of rules in this file is the same as the format of rules
|
||||
in <ulink url="shorewall-rules.html">shorewall-rules (5)</ulink>. The
|
||||
differece in the two files lies in the ACTION (first) column.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ACTION- {<emphasis
|
||||
role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
|
||||
role="bold">WHITELIES</emphasis>|<emphasis
|
||||
role="bold">LOG</emphasis>|<emphasis
|
||||
role="bold">QUEUE</emphasis>|<emphasis
|
||||
role="bold">NFQUEUE</emphasis>[<emphasis
|
||||
role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
|
||||
role="bold">)</emphasis>]<emphasis
|
||||
role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
|
||||
role="bold">(</emphasis><emphasis>target</emphasis><emphasis
|
||||
role="bold">)</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
|
||||
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
|
||||
role="bold">!</emphasis></emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Specifies the action to be taken if the packet matches the
|
||||
rule. Must be one of the following.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Exempt the packet from the remaining rules in this
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DROP</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Ignore the packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>A_DROP and A_DROP!</term>
|
||||
|
||||
<listitem>
|
||||
<para>Audited versions of DROP. Requires AUDIT_TARGET support
|
||||
in the kernel and ip6tables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">REJECT</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>disallow the packet and return an icmp-unreachable or an
|
||||
RST packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>A_REJECT</term>
|
||||
|
||||
<listitem>
|
||||
<para>Audited versions of REJECT. Require AUDIT_TARGET support
|
||||
in the kernel and ip6tables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LOG</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Simply log the packet and continue with the next
|
||||
rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">QUEUE</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Queue the packet to a user-space application such as
|
||||
ftwall (http://p2pwall.sf.net). The application may reinsert
|
||||
the packet for further processing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>queues matching packets to a backend logging daemon via
|
||||
a netlink socket then continues to the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NFQUEUE</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Queues the packet to a user-space application using the
|
||||
nfnetlink_queue mechanism. If a
|
||||
<replaceable>queuenumber</replaceable> is not specified, queue
|
||||
zero (0) is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">COMMENT</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>the rest of the line will be attached as a comment to
|
||||
the Netfilter rule(s) generated by the following entries. The
|
||||
comment will appear delimited by "/* ... */" in the output of
|
||||
"shorewall6 show <chain>". To stop the comment from
|
||||
being attached to further rules, simply include COMMENT on a
|
||||
line by itself.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>action</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
|
||||
in /usr/share/shorewall6/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>macro</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a macro defined in a file named
|
||||
macro.<emphasis>macro</emphasis>. If the macro accepts an
|
||||
action parameter (Look at the macro source to see if it has
|
||||
PARAM in the TARGET column) then the
|
||||
<emphasis>macro</emphasis> name is followed by the
|
||||
parenthesized <emphasis>target</emphasis> (<emphasis
|
||||
role="bold">ACCEPT</emphasis>, <emphasis
|
||||
role="bold">DROP</emphasis>, <emphasis
|
||||
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
||||
parameter.</para>
|
||||
|
||||
<para>Example: FTP(ACCEPT).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The <emphasis role="bold">ACTION</emphasis> may optionally be
|
||||
followed by ":" and a syslog log level (e.g, REJECT:info or
|
||||
Web(ACCEPT):debug). This causes the packet to be logged at the
|
||||
specified level.</para>
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
|
||||
/usr/share/shorewall6/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If the log level is followed by "!' then all rules in the
|
||||
action are logged at the log level.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the log level is not followed by "!" then only those
|
||||
rules in the action that do not specify logging are logged at
|
||||
the specified level.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The special log level <emphasis
|
||||
role="bold">none!</emphasis> suppresses logging by the
|
||||
action.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>You may also specify <emphasis role="bold">NFLOG</emphasis>
|
||||
(must be in upper case) as a log level.This will log to the NFLOG
|
||||
target for routing to a separate log through use of ulogd (<ulink
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||
|
||||
<para>Actions specifying logging may be followed by a log tag (a
|
||||
string of alphanumeric characters) which is appended to the string
|
||||
generated by the LOGPREFIX (in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>For the remaining columns, see <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Example</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Example 1:</term>
|
||||
|
||||
<listitem>
|
||||
<para>Disallow SMTP from the local zone to the net zone.</para>
|
||||
|
||||
<programlisting>DROP loc net tcp 25</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 2:</term>
|
||||
|
||||
<listitem>
|
||||
<para>Don't subject packets from 192.0.2.0/24 to the remaining rules
|
||||
in the file.</para>
|
||||
|
||||
<programlisting>WHITELIST net:192.0.2.0/24 all</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall/blrules</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
|
||||
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
|
||||
shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
|
||||
shorewall-providers(5), shorewall-route_rules(5),
|
||||
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
|
||||
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
|
||||
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
|
||||
shorewall-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
@ -331,7 +331,7 @@
|
||||
respectively and were added in Shorewall 4.4.20. They require
|
||||
AUDIT_TARGET in the kernel and iptables.</para>
|
||||
|
||||
<para> The BLACKLIST_DISPOSITION setting has no effect on entries in
|
||||
<para>The BLACKLIST_DISPOSITION setting has no effect on entries in
|
||||
the BLACKLIST section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||
</listitem>
|
||||
@ -361,8 +361,8 @@
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections. That includes entries in the BLACKLIST section of
|
||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
</para>
|
||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||
@ -377,6 +377,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BLACKLISTSECTION=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. When omitted or set to Yes,
|
||||
zone-specific blacklisting rules are placed in the BLACKLIST section
|
||||
of <ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
When set to No, zone-specific blacklisting rules are place in <ulink
|
||||
url="shorewall-blrules.html">shorewall-blrules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
|
291
manpages6/shorewall6-blrules.xml
Normal file
291
manpages6/shorewall6-blrules.xml
Normal file
@ -0,0 +1,291 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
||||
<refentry>
|
||||
<refmeta>
|
||||
<refentrytitle>shorewall6-blrules</refentrytitle>
|
||||
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>blrules</refname>
|
||||
|
||||
<refpurpose>shorewall6 Blacklist file</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>/etc/shorewall6/blrules</command>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>This file is used to perform blacklisting and whitelisting when
|
||||
BLACKLISTSECTION=No in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)l.</para>
|
||||
|
||||
<para>Rules in this file are applied depending on the setting of
|
||||
BLACKLISTNEWONLY in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
||||
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
|
||||
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
|
||||
connections in the NEW and INVALID states.</para>
|
||||
|
||||
<para>The format of rules in this file is the same as the format of rules
|
||||
in <ulink url="shorewall6-rules.html">shorewall6-rules (5)</ulink>. The
|
||||
differece in the two files lies in the ACTION (first) column.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ACTION- {<emphasis
|
||||
role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
|
||||
role="bold">WHITELIES</emphasis>|<emphasis
|
||||
role="bold">LOG</emphasis>|<emphasis
|
||||
role="bold">QUEUE</emphasis>|<emphasis
|
||||
role="bold">NFQUEUE</emphasis>[<emphasis
|
||||
role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
|
||||
role="bold">)</emphasis>]<emphasis
|
||||
role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
|
||||
role="bold">(</emphasis><emphasis>target</emphasis><emphasis
|
||||
role="bold">)</emphasis>]}<emphasis
|
||||
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
|
||||
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
|
||||
role="bold">!</emphasis></emphasis>][<emphasis
|
||||
role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Specifies the action to be taken if the packet matches the
|
||||
rule. Must be one of the following.</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Exempt the packet from the remaining rules in this
|
||||
file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">DROP</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Ignore the packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>A_DROP and A_DROP!</term>
|
||||
|
||||
<listitem>
|
||||
<para>Audited versions of DROP. Requires AUDIT_TARGET support
|
||||
in the kernel and ip6tables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">REJECT</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>disallow the packet and return an icmp-unreachable or an
|
||||
RST packet.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>A_REJECT</term>
|
||||
|
||||
<listitem>
|
||||
<para>Audited versions of REJECT. Require AUDIT_TARGET support
|
||||
in the kernel and ip6tables.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">LOG</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Simply log the packet and continue with the next
|
||||
rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">QUEUE</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Queue the packet to a user-space application such as
|
||||
ftwall (http://p2pwall.sf.net). The application may reinsert
|
||||
the packet for further processing.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis
|
||||
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
|
||||
|
||||
<listitem>
|
||||
<para>queues matching packets to a backend logging daemon via
|
||||
a netlink socket then continues to the next rule. See <ulink
|
||||
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">NFQUEUE</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Queues the packet to a user-space application using the
|
||||
nfnetlink_queue mechanism. If a
|
||||
<replaceable>queuenumber</replaceable> is not specified, queue
|
||||
zero (0) is assumed.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">COMMENT</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>the rest of the line will be attached as a comment to
|
||||
the Netfilter rule(s) generated by the following entries. The
|
||||
comment will appear delimited by "/* ... */" in the output of
|
||||
"shorewall6 show <chain>". To stop the comment from
|
||||
being attached to further rules, simply include COMMENT on a
|
||||
line by itself.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>action</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of an <emphasis>action</emphasis> declared in
|
||||
<ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
|
||||
in /usr/share/shorewall6/actions.std.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis>macro</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>The name of a macro defined in a file named
|
||||
macro.<emphasis>macro</emphasis>. If the macro accepts an
|
||||
action parameter (Look at the macro source to see if it has
|
||||
PARAM in the TARGET column) then the
|
||||
<emphasis>macro</emphasis> name is followed by the
|
||||
parenthesized <emphasis>target</emphasis> (<emphasis
|
||||
role="bold">ACCEPT</emphasis>, <emphasis
|
||||
role="bold">DROP</emphasis>, <emphasis
|
||||
role="bold">REJECT</emphasis>, ...) to be substituted for the
|
||||
parameter.</para>
|
||||
|
||||
<para>Example: FTP(ACCEPT).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The <emphasis role="bold">ACTION</emphasis> may optionally be
|
||||
followed by ":" and a syslog log level (e.g, REJECT:info or
|
||||
Web(ACCEPT):debug). This causes the packet to be logged at the
|
||||
specified level.</para>
|
||||
|
||||
<para>If the <emphasis role="bold">ACTION</emphasis> names an
|
||||
<emphasis>action</emphasis> declared in <ulink
|
||||
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
|
||||
/usr/share/shorewall6/actions.std then:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If the log level is followed by "!' then all rules in the
|
||||
action are logged at the log level.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If the log level is not followed by "!" then only those
|
||||
rules in the action that do not specify logging are logged at
|
||||
the specified level.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The special log level <emphasis
|
||||
role="bold">none!</emphasis> suppresses logging by the
|
||||
action.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>You may also specify <emphasis role="bold">NFLOG</emphasis>
|
||||
(must be in upper case) as a log level.This will log to the NFLOG
|
||||
target for routing to a separate log through use of ulogd (<ulink
|
||||
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
|
||||
|
||||
<para>Actions specifying logging may be followed by a log tag (a
|
||||
string of alphanumeric characters) which is appended to the string
|
||||
generated by the LOGPREFIX (in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>For the remaining columns, see <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Example</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term>Example 1:</term>
|
||||
|
||||
<listitem>
|
||||
<para>Drop Teredo packets from the net.</para>
|
||||
|
||||
<programlisting>DROP net:[2001::/32] all</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>Example 2:</term>
|
||||
|
||||
<listitem>
|
||||
<para>Don't subject packets from 2001:DB8::/64 to the remaining
|
||||
rules in the file.</para>
|
||||
|
||||
<programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>FILES</title>
|
||||
|
||||
<para>/etc/shorewall6/blrules</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See ALSO</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
|
||||
|
||||
<para><ulink
|
||||
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
|
||||
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-route_rules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
@ -43,9 +43,13 @@
|
||||
<term><emphasis role="bold">BLACKLIST</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This section was added in Shorewall 4.4.25. Rules in this
|
||||
section are applied depending on the setting of BLACKLISTNEWONLY in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If
|
||||
<para>This section was added in Shorewall 4.4.25 and is only
|
||||
permitted when BLACKLISTSECTION=Yes in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
|
||||
<para>Rules in this section are applied depending on the setting of
|
||||
BLACKLISTNEWONLY in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
||||
BLACKLISTNEWONLY=No, then they are applied regardless of the
|
||||
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
|
||||
they are applied to connections in the NEW and INVALID
|
||||
|
@ -308,6 +308,19 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BLACKLISTSECTION=</emphasis>{<emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.26. When omitted or set to Yes,
|
||||
zone-specific blacklisting rules are placed in the BLACKLIST section
|
||||
of <ulink url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
|
||||
When set to No, zone-specific blacklisting rules are place in <ulink
|
||||
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
|
||||
role="bold">Yes</emphasis>|<emphasis
|
||||
|
Loading…
Reference in New Issue
Block a user