diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 694c2ae61..7934443a7 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -569,6 +569,7 @@ sub initialize( $ ) {
COMPLETE => undef,
EXPORTMODULES => undef,
LEGACY_FASTSTART => undef,
+ BLACKLISTSECTION => undef,
#
# Packet Disposition
#
@@ -3693,6 +3694,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'COMPLETE' , '';
default_yes_no 'EXPORTMODULES' , '';
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
+ default_yes_no 'BLACKLISTSECTION' , 'Yes';
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 08bc7b290..75a8110db 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1741,7 +1741,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
#
# We can now dispense with the postfix character
#
- fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
+ if ( $action =~ s/[\+\-!]$// && $blacklist ) {
+ if ( $config{BLACKLISTSECTION} ) {
+ fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section";
+ } else {
+ fatal_error "The +, - and ! modifiers are not allowed in the blrules file";
+ }
+ }
#
# Handle actions
#
@@ -1789,7 +1795,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$bt =~ s/[-+!]$//;
- my %functions = ( REDIRECT => sub () {
+ my %functions = (ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+ REDIRECT => sub () {
my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) {
$dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -1801,8 +1808,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
} ,
REJECT => sub { $action = 'reject'; } ,
CONTINUE => sub { $action = 'RETURN'; } ,
- WHITELIST => sub { fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section" unless $blacklist;
- $action = 'RETURN'; } ,
+ WHITELIST => sub {
+ unless ( $blacklist ) {
+ if ( $config{BLACKLISTSECTION} ) {
+ fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section";
+ } else {
+ fatal_error "'WHITELIST' may only be used in the blrules file";
+ }
+ }
+
+ $action = 'RETURN'; } ,
COUNT => sub { $action = ''; } ,
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
);
@@ -2276,7 +2291,9 @@ sub process_section ($) {
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
$sections{$sect} = 1;
- if ( $sect eq 'ALL' ) {
+ if ( $sect eq 'BLACKLIST' ) {
+ fatal_error "A BLACKLIST section is not allowed when BLACKLISTSECTION=No" unless $config{BLACKLISTSECTION};
+ } elsif ( $sect eq 'ALL' ) {
$sections{BLACKLIST} = 1;
} elsif ( $sect eq 'ESTABLISHED' ) {
$sections{'BLACKLIST','ALL'} = ( 1, 1);
@@ -2433,6 +2450,20 @@ sub process_rule ( ) {
#
sub process_rules() {
+ unless ( $config{BLACKLISTSECTION} ) {
+ my $fn = open_file 'blrules';
+
+ if ( $fn ) {
+ first_entry "$doing $fn...";
+
+ $section = 'BLACKLIST';
+
+ process_rule while read_a_line;
+
+ $section = '';
+ }
+ }
+
my $fn = open_file 'rules';
if ( $fn ) {
diff --git a/manpages/shorewall-blrules.xml b/manpages/shorewall-blrules.xml
new file mode 100644
index 000000000..151f1dd6a
--- /dev/null
+++ b/manpages/shorewall-blrules.xml
@@ -0,0 +1,291 @@
+
+
+
+
+ shorewall-blrules
+
+ 5
+
+
+
+ blrules
+
+ shorewall Blacklist file
+
+
+
+
+ /etc/shorewall6/blrules
+
+
+
+
+ Description
+
+ This file is used to perform blacklisting and whitelisting when
+ BLACKLISTSECTION=No in shorewall.conf(5)l.
+
+ Rules in this file are applied depending on the setting of
+ BLACKLISTNEWONLY in shorewall.conf(5). If
+ BLACKLISTNEWONLY=No, then they are applied regardless of the connection
+ tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
+ connections in the NEW and INVALID states.
+
+ The format of rules in this file is the same as the format of rules
+ in shorewall-rules (5). The
+ differece in the two files lies in the ACTION (first) column.
+
+
+
+ ACTION- {ACCEPT|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|WHITELIES|LOG|QUEUE|NFQUEUE[(queuenumber)]|COMMENT|action|macro[(target)]}[:{log-level|none}[!][:tag]]
+
+
+ Specifies the action to be taken if the packet matches the
+ rule. Must be one of the following.
+
+
+
+ ACCEPT|CONTINUE|WHITELIST
+
+
+ Exempt the packet from the remaining rules in this
+ file.
+
+
+
+
+ DROP
+
+
+ Ignore the packet.
+
+
+
+
+ A_DROP and A_DROP!
+
+
+ Audited versions of DROP. Requires AUDIT_TARGET support
+ in the kernel and ip6tables.
+
+
+
+
+ REJECT
+
+
+ disallow the packet and return an icmp-unreachable or an
+ RST packet.
+
+
+
+
+ A_REJECT
+
+
+ Audited versions of REJECT. Require AUDIT_TARGET support
+ in the kernel and ip6tables.
+
+
+
+
+ LOG
+
+
+ Simply log the packet and continue with the next
+ rule.
+
+
+
+
+ QUEUE
+
+
+ Queue the packet to a user-space application such as
+ ftwall (http://p2pwall.sf.net). The application may reinsert
+ the packet for further processing.
+
+
+
+
+ NFLOG[(nflog-parameters)]
+
+
+ queues matching packets to a backend logging daemon via
+ a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html.
+
+
+
+
+ NFQUEUE
+
+
+ Queues the packet to a user-space application using the
+ nfnetlink_queue mechanism. If a
+ queuenumber is not specified, queue
+ zero (0) is assumed.
+
+
+
+
+ COMMENT
+
+
+ the rest of the line will be attached as a comment to
+ the Netfilter rule(s) generated by the following entries. The
+ comment will appear delimited by "/* ... */" in the output of
+ "shorewall6 show <chain>". To stop the comment from
+ being attached to further rules, simply include COMMENT on a
+ line by itself.
+
+
+
+
+ action
+
+
+ The name of an action declared in
+ shorewall-actions(5) or
+ in /usr/share/shorewall6/actions.std.
+
+
+
+
+ macro
+
+
+ The name of a macro defined in a file named
+ macro.macro. If the macro accepts an
+ action parameter (Look at the macro source to see if it has
+ PARAM in the TARGET column) then the
+ macro name is followed by the
+ parenthesized target (ACCEPT, DROP, REJECT, ...) to be substituted for the
+ parameter.
+
+ Example: FTP(ACCEPT).
+
+
+
+
+ The ACTION may optionally be
+ followed by ":" and a syslog log level (e.g, REJECT:info or
+ Web(ACCEPT):debug). This causes the packet to be logged at the
+ specified level.
+
+ If the ACTION names an
+ action declared in shorewall-actions(5) or in
+ /usr/share/shorewall6/actions.std then:
+
+
+
+ If the log level is followed by "!' then all rules in the
+ action are logged at the log level.
+
+
+
+ If the log level is not followed by "!" then only those
+ rules in the action that do not specify logging are logged at
+ the specified level.
+
+
+
+ The special log level none! suppresses logging by the
+ action.
+
+
+
+ You may also specify NFLOG
+ (must be in upper case) as a log level.This will log to the NFLOG
+ target for routing to a separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html).
+
+ Actions specifying logging may be followed by a log tag (a
+ string of alphanumeric characters) which is appended to the string
+ generated by the LOGPREFIX (in shorewall.conf(5)).
+
+
+
+
+ For the remaining columns, see shorewall6-rules (5).
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Disallow SMTP from the local zone to the net zone.
+
+ DROP loc net tcp 25
+
+
+
+
+ Example 2:
+
+
+ Don't subject packets from 192.0.2.0/24 to the remaining rules
+ in the file.
+
+ WHITELIST net:192.0.2.0/24 all
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/blrules
+
+
+
+ See ALSO
+
+ http://shorewall.net/blacklisting_support.htm
+
+ http://shorewall.net/configuration_file_basics.htm#Pairs
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+ shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index 8d1d3abe5..d0c1f9379 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -331,7 +331,7 @@
respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.
- The BLACKLIST_DISPOSITION setting has no effect on entries in
+ The BLACKLIST_DISPOSITION setting has no effect on entries in
the BLACKLIST section of shorewall-rules (5).
@@ -361,8 +361,8 @@
When set to Yes or yes, blacklists are only consulted for new
connections. That includes entries in the BLACKLIST section of
- shorewall-rules (5).
-
+ shorewall-rules
+ (5).
When set to No or no, blacklists are consulted for every packet
@@ -377,6 +377,19 @@
+
+ BLACKLISTSECTION={Yes|No}
+
+
+ Added in Shorewall 4.4.26. When omitted or set to Yes,
+ zone-specific blacklisting rules are placed in the BLACKLIST section
+ of shorewall-rules (5).
+ When set to No, zone-specific blacklisting rules are place in shorewall-blrules (5).
+
+
+
CLAMPMSS=[Yes|
+
+
+
+ shorewall6-blrules
+
+ 5
+
+
+
+ blrules
+
+ shorewall6 Blacklist file
+
+
+
+
+ /etc/shorewall6/blrules
+
+
+
+
+ Description
+
+ This file is used to perform blacklisting and whitelisting when
+ BLACKLISTSECTION=No in shorewall6.conf(5)l.
+
+ Rules in this file are applied depending on the setting of
+ BLACKLISTNEWONLY in shorewall6.conf(5). If
+ BLACKLISTNEWONLY=No, then they are applied regardless of the connection
+ tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
+ connections in the NEW and INVALID states.
+
+ The format of rules in this file is the same as the format of rules
+ in shorewall6-rules (5). The
+ differece in the two files lies in the ACTION (first) column.
+
+
+
+ ACTION- {ACCEPT|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|WHITELIES|LOG|QUEUE|NFQUEUE[(queuenumber)]|COMMENT|action|macro[(target)]}[:{log-level|none}[!][:tag]]
+
+
+ Specifies the action to be taken if the packet matches the
+ rule. Must be one of the following.
+
+
+
+ ACCEPT|CONTINUE|WHITELIST
+
+
+ Exempt the packet from the remaining rules in this
+ file.
+
+
+
+
+ DROP
+
+
+ Ignore the packet.
+
+
+
+
+ A_DROP and A_DROP!
+
+
+ Audited versions of DROP. Requires AUDIT_TARGET support
+ in the kernel and ip6tables.
+
+
+
+
+ REJECT
+
+
+ disallow the packet and return an icmp-unreachable or an
+ RST packet.
+
+
+
+
+ A_REJECT
+
+
+ Audited versions of REJECT. Require AUDIT_TARGET support
+ in the kernel and ip6tables.
+
+
+
+
+ LOG
+
+
+ Simply log the packet and continue with the next
+ rule.
+
+
+
+
+ QUEUE
+
+
+ Queue the packet to a user-space application such as
+ ftwall (http://p2pwall.sf.net). The application may reinsert
+ the packet for further processing.
+
+
+
+
+ NFLOG[(nflog-parameters)]
+
+
+ queues matching packets to a backend logging daemon via
+ a netlink socket then continues to the next rule. See http://www.shorewall.net/shorewall_logging.html.
+
+
+
+
+ NFQUEUE
+
+
+ Queues the packet to a user-space application using the
+ nfnetlink_queue mechanism. If a
+ queuenumber is not specified, queue
+ zero (0) is assumed.
+
+
+
+
+ COMMENT
+
+
+ the rest of the line will be attached as a comment to
+ the Netfilter rule(s) generated by the following entries. The
+ comment will appear delimited by "/* ... */" in the output of
+ "shorewall6 show <chain>". To stop the comment from
+ being attached to further rules, simply include COMMENT on a
+ line by itself.
+
+
+
+
+ action
+
+
+ The name of an action declared in
+ shorewall6-actions(5) or
+ in /usr/share/shorewall6/actions.std.
+
+
+
+
+ macro
+
+
+ The name of a macro defined in a file named
+ macro.macro. If the macro accepts an
+ action parameter (Look at the macro source to see if it has
+ PARAM in the TARGET column) then the
+ macro name is followed by the
+ parenthesized target (ACCEPT, DROP, REJECT, ...) to be substituted for the
+ parameter.
+
+ Example: FTP(ACCEPT).
+
+
+
+
+ The ACTION may optionally be
+ followed by ":" and a syslog log level (e.g, REJECT:info or
+ Web(ACCEPT):debug). This causes the packet to be logged at the
+ specified level.
+
+ If the ACTION names an
+ action declared in shorewall6-actions(5) or in
+ /usr/share/shorewall6/actions.std then:
+
+
+
+ If the log level is followed by "!' then all rules in the
+ action are logged at the log level.
+
+
+
+ If the log level is not followed by "!" then only those
+ rules in the action that do not specify logging are logged at
+ the specified level.
+
+
+
+ The special log level none! suppresses logging by the
+ action.
+
+
+
+ You may also specify NFLOG
+ (must be in upper case) as a log level.This will log to the NFLOG
+ target for routing to a separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html).
+
+ Actions specifying logging may be followed by a log tag (a
+ string of alphanumeric characters) which is appended to the string
+ generated by the LOGPREFIX (in shorewall6.conf(5)).
+
+
+
+
+ For the remaining columns, see shorewall6-rules (5).
+
+
+
+ Example
+
+
+
+ Example 1:
+
+
+ Drop Teredo packets from the net.
+
+ DROP net:[2001::/32] all
+
+
+
+
+ Example 2:
+
+
+ Don't subject packets from 2001:DB8::/64 to the remaining
+ rules in the file.
+
+ WHITELIST net:[2001:DB8::/64] all
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall6/blrules
+
+
+
+ See ALSO
+
+ http://shorewall.net/blacklisting_support.htm
+
+ http://shorewall.net/configuration_file_basics.htm#Pairs
+
+ shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
+ shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+ shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+ shorewall6-providers(5), shorewall6-route_rules(5),
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+ shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+ shorewall6-zones(5)
+
+
diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml
index c73a7dd66..8be2a9fd8 100644
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@@ -43,9 +43,13 @@
BLACKLIST
- This section was added in Shorewall 4.4.25. Rules in this
- section are applied depending on the setting of BLACKLISTNEWONLY in
- shorewall.conf(5). If
+ This section was added in Shorewall 4.4.25 and is only
+ permitted when BLACKLISTSECTION=Yes in shorewall6.conf(5).
+
+ Rules in this section are applied depending on the setting of
+ BLACKLISTNEWONLY in shorewall6.conf(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
they are applied to connections in the NEW and INVALID
diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml
index df6cbae97..62c7eb501 100644
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@@ -308,6 +308,19 @@
+
+ BLACKLISTSECTION={Yes|No}
+
+
+ Added in Shorewall 4.4.26. When omitted or set to Yes,
+ zone-specific blacklisting rules are placed in the BLACKLIST section
+ of shorewall6-rules (5).
+ When set to No, zone-specific blacklisting rules are place in shorewall6-blrules (5).
+
+
+
CLAMPMSS=[Yes|