holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement the BLACKLISTSECTION option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-11-06 08:43:38 -08:00
parent 755ed9859b
commit 1091c24348
7 changed files with 656 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -569,6 +569,7 @@ sub initialize( $ ) {
COMPLETE => undef, COMPLETE => undef,
EXPORTMODULES => undef, EXPORTMODULES => undef,
LEGACY_FASTSTART => undef, LEGACY_FASTSTART => undef,
BLACKLISTSECTION => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -3693,6 +3694,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'COMPLETE' , ''; default_yes_no 'COMPLETE' , '';
default_yes_no 'EXPORTMODULES' , ''; default_yes_no 'EXPORTMODULES' , '';
default_yes_no 'LEGACY_FASTSTART' , 'Yes'; default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'BLACKLISTSECTION' , 'Yes';
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

41
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1741,7 +1741,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
# #
# We can now dispense with the postfix character # We can now dispense with the postfix character
# #
fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist; if ( $action =~ s/[\+\-!]$// && $blacklist ) {
if ( $config{BLACKLISTSECTION} ) {
fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section";
} else {
fatal_error "The +, - and ! modifiers are not allowed in the blrules file";
}
}
# #
# Handle actions # Handle actions
# #
@ -1789,7 +1795,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$bt =~ s/[-+!]$//; $bt =~ s/[-+!]$//;
my %functions = ( REDIRECT => sub () { my %functions = (ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
REDIRECT => sub () {
my $z = $actiontype & NATONLY ? '' : firewall_zone; my $z = $actiontype & NATONLY ? '' : firewall_zone;
if ( $dest eq '-' ) { if ( $dest eq '-' ) {
$dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports ); $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@ -1801,8 +1808,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
} , } ,
REJECT => sub { $action = 'reject'; } , REJECT => sub { $action = 'reject'; } ,
CONTINUE => sub { $action = 'RETURN'; } , CONTINUE => sub { $action = 'RETURN'; } ,
WHITELIST => sub { fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section" unless $blacklist; WHITELIST => sub {
$action = 'RETURN'; } , unless ( $blacklist ) {
if ( $config{BLACKLISTSECTION} ) {
fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section";
} else {
fatal_error "'WHITELIST' may only be used in the blrules file";
}
}
$action = 'RETURN'; } ,
COUNT => sub { $action = ''; } , COUNT => sub { $action = ''; } ,
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } , LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
); );
@ -2276,7 +2291,9 @@ sub process_section ($) {
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect}; fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
$sections{$sect} = 1; $sections{$sect} = 1;
if ( $sect eq 'ALL' ) { if ( $sect eq 'BLACKLIST' ) {
fatal_error "A BLACKLIST section is not allowed when BLACKLISTSECTION=No" unless $config{BLACKLISTSECTION};
} elsif ( $sect eq 'ALL' ) {
$sections{BLACKLIST} = 1; $sections{BLACKLIST} = 1;
} elsif ( $sect eq 'ESTABLISHED' ) { } elsif ( $sect eq 'ESTABLISHED' ) {
$sections{'BLACKLIST','ALL'} = ( 1, 1); $sections{'BLACKLIST','ALL'} = ( 1, 1);
@ -2433,6 +2450,20 @@ sub process_rule ( ) {
# #
sub process_rules() { sub process_rules() {
unless ( $config{BLACKLISTSECTION} ) {
my $fn = open_file 'blrules';
if ( $fn ) {
first_entry "$doing $fn...";
$section = 'BLACKLIST';
process_rule while read_a_line;
$section = '';
}
}
my $fn = open_file 'rules'; my $fn = open_file 'rules';
if ( $fn ) { if ( $fn ) {

291
manpages/shorewall-blrules.xml Normal file
View File

@ -0,0 +1,291 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-blrules</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>blrules</refname>
<refpurpose>shorewall Blacklist file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/blrules</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to perform blacklisting and whitelisting when
BLACKLISTSECTION=No in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)l.</para>
<para>Rules in this file are applied depending on the setting of
BLACKLISTNEWONLY in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
connections in the NEW and INVALID states.</para>
<para>The format of rules in this file is the same as the format of rules
in <ulink url="shorewall-rules.html">shorewall-rules (5)</ulink>. The
differece in the two files lies in the ACTION (first) column.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION- {<emphasis
role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
role="bold">WHITELIES</emphasis>|<emphasis
role="bold">LOG</emphasis>|<emphasis
role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[<emphasis
role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
role="bold">)</emphasis>]<emphasis
role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
role="bold">(</emphasis><emphasis>target</emphasis><emphasis
role="bold">)</emphasis>]}<emphasis
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
role="bold">!</emphasis></emphasis>][<emphasis
role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
<listitem>
<para>Specifies the action to be taken if the packet matches the
rule. Must be one of the following.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
<listitem>
<para>Exempt the packet from the remaining rules in this
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DROP</emphasis></term>
<listitem>
<para>Ignore the packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>A_DROP and A_DROP!</term>
<listitem>
<para>Audited versions of DROP. Requires AUDIT_TARGET support
in the kernel and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REJECT</emphasis></term>
<listitem>
<para>disallow the packet and return an icmp-unreachable or an
RST packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>A_REJECT</term>
<listitem>
<para>Audited versions of REJECT. Require AUDIT_TARGET support
in the kernel and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOG</emphasis></term>
<listitem>
<para>Simply log the packet and continue with the next
rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">QUEUE</emphasis></term>
<listitem>
<para>Queue the packet to a user-space application such as
ftwall (http://p2pwall.sf.net). The application may reinsert
the packet for further processing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem>
<para>queues matching packets to a backend logging daemon via
a netlink socket then continues to the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem>
<para>Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a
<replaceable>queuenumber</replaceable> is not specified, queue
zero (0) is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">COMMENT</emphasis></term>
<listitem>
<para>the rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of
"shorewall6 show &lt;chain&gt;". To stop the comment from
being attached to further rules, simply include COMMENT on a
line by itself.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>action</emphasis></term>
<listitem>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="shorewall-actions.html">shorewall-actions</ulink>(5) or
in /usr/share/shorewall6/actions.std.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>macro</emphasis></term>
<listitem>
<para>The name of a macro defined in a file named
macro.<emphasis>macro</emphasis>. If the macro accepts an
action parameter (Look at the macro source to see if it has
PARAM in the TARGET column) then the
<emphasis>macro</emphasis> name is followed by the
parenthesized <emphasis>target</emphasis> (<emphasis
role="bold">ACCEPT</emphasis>, <emphasis
role="bold">DROP</emphasis>, <emphasis
role="bold">REJECT</emphasis>, ...) to be substituted for the
parameter.</para>
<para>Example: FTP(ACCEPT).</para>
</listitem>
</varlistentry>
</variablelist>
<para>The <emphasis role="bold">ACTION</emphasis> may optionally be
followed by ":" and a syslog log level (e.g, REJECT:info or
Web(ACCEPT):debug). This causes the packet to be logged at the
specified level.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
/usr/share/shorewall6/actions.std then:</para>
<itemizedlist>
<listitem>
<para>If the log level is followed by "!' then all rules in the
action are logged at the log level.</para>
</listitem>
<listitem>
<para>If the log level is not followed by "!" then only those
rules in the action that do not specify logging are logged at
the specified level.</para>
</listitem>
<listitem>
<para>The special log level <emphasis
role="bold">none!</emphasis> suppresses logging by the
action.</para>
</listitem>
</itemizedlist>
<para>You may also specify <emphasis role="bold">NFLOG</emphasis>
(must be in upper case) as a log level.This will log to the NFLOG
target for routing to a separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>Actions specifying logging may be followed by a log tag (a
string of alphanumeric characters) which is appended to the string
generated by the LOGPREFIX (in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
</listitem>
</varlistentry>
</variablelist>
<para>For the remaining columns, see <ulink
url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Disallow SMTP from the local zone to the net zone.</para>
<programlisting>DROP loc net tcp 25</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Don't subject packets from 192.0.2.0/24 to the remaining rules
in the file.</para>
<programlisting>WHITELIST net:192.0.2.0/24 all</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/blrules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
<para><ulink
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

19
manpages/shorewall.conf.xml
View File

@ -331,7 +331,7 @@
respectively and were added in Shorewall 4.4.20. They require respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para> AUDIT_TARGET in the kernel and iptables.</para>
<para> The BLACKLIST_DISPOSITION setting has no effect on entries in <para>The BLACKLIST_DISPOSITION setting has no effect on entries in
the BLACKLIST section of <ulink the BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para> url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
</listitem> </listitem>
@ -361,8 +361,8 @@
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new role="bold">yes</emphasis>, blacklists are only consulted for new
connections. That includes entries in the BLACKLIST section of connections. That includes entries in the BLACKLIST section of
<ulink url="shorewall-rules.html">shorewall-rules</ulink> (5). <ulink url="shorewall-rules.html">shorewall-rules</ulink>
</para> (5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet role="bold">no</emphasis>, blacklists are consulted for every packet
@ -377,6 +377,19 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLISTSECTION=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.4.26. When omitted or set to Yes,
zone-specific blacklisting rules are placed in the BLACKLIST section
of <ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
When set to No, zone-specific blacklisting rules are place in <ulink
url="shorewall-blrules.html">shorewall-blrules</ulink> (5).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis

291
manpages6/shorewall6-blrules.xml Normal file
View File

@ -0,0 +1,291 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-blrules</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>blrules</refname>
<refpurpose>shorewall6 Blacklist file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall6/blrules</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file is used to perform blacklisting and whitelisting when
BLACKLISTSECTION=No in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)l.</para>
<para>Rules in this file are applied depending on the setting of
BLACKLISTNEWONLY in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the connection
tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to
connections in the NEW and INVALID states.</para>
<para>The format of rules in this file is the same as the format of rules
in <ulink url="shorewall6-rules.html">shorewall6-rules (5)</ulink>. The
differece in the two files lies in the ACTION (first) column.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ACTION- {<emphasis
role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
role="bold">WHITELIES</emphasis>|<emphasis
role="bold">LOG</emphasis>|<emphasis
role="bold">QUEUE</emphasis>|<emphasis
role="bold">NFQUEUE</emphasis>[<emphasis
role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
role="bold">)</emphasis>]<emphasis
role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
role="bold">(</emphasis><emphasis>target</emphasis><emphasis
role="bold">)</emphasis>]}<emphasis
role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
role="bold">!</emphasis></emphasis>][<emphasis
role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term>
<listitem>
<para>Specifies the action to be taken if the packet matches the
rule. Must be one of the following.</para>
<variablelist>
<varlistentry>
<term><emphasis
role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
<listitem>
<para>Exempt the packet from the remaining rules in this
file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DROP</emphasis></term>
<listitem>
<para>Ignore the packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>A_DROP and A_DROP!</term>
<listitem>
<para>Audited versions of DROP. Requires AUDIT_TARGET support
in the kernel and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">REJECT</emphasis></term>
<listitem>
<para>disallow the packet and return an icmp-unreachable or an
RST packet.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>A_REJECT</term>
<listitem>
<para>Audited versions of REJECT. Require AUDIT_TARGET support
in the kernel and ip6tables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">LOG</emphasis></term>
<listitem>
<para>Simply log the packet and continue with the next
rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">QUEUE</emphasis></term>
<listitem>
<para>Queue the packet to a user-space application such as
ftwall (http://p2pwall.sf.net). The application may reinsert
the packet for further processing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
<listitem>
<para>queues matching packets to a backend logging daemon via
a netlink socket then continues to the next rule. See <ulink
url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">NFQUEUE</emphasis></term>
<listitem>
<para>Queues the packet to a user-space application using the
nfnetlink_queue mechanism. If a
<replaceable>queuenumber</replaceable> is not specified, queue
zero (0) is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">COMMENT</emphasis></term>
<listitem>
<para>the rest of the line will be attached as a comment to
the Netfilter rule(s) generated by the following entries. The
comment will appear delimited by "/* ... */" in the output of
"shorewall6 show &lt;chain&gt;". To stop the comment from
being attached to further rules, simply include COMMENT on a
line by itself.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>action</emphasis></term>
<listitem>
<para>The name of an <emphasis>action</emphasis> declared in
<ulink
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
in /usr/share/shorewall6/actions.std.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis>macro</emphasis></term>
<listitem>
<para>The name of a macro defined in a file named
macro.<emphasis>macro</emphasis>. If the macro accepts an
action parameter (Look at the macro source to see if it has
PARAM in the TARGET column) then the
<emphasis>macro</emphasis> name is followed by the
parenthesized <emphasis>target</emphasis> (<emphasis
role="bold">ACCEPT</emphasis>, <emphasis
role="bold">DROP</emphasis>, <emphasis
role="bold">REJECT</emphasis>, ...) to be substituted for the
parameter.</para>
<para>Example: FTP(ACCEPT).</para>
</listitem>
</varlistentry>
</variablelist>
<para>The <emphasis role="bold">ACTION</emphasis> may optionally be
followed by ":" and a syslog log level (e.g, REJECT:info or
Web(ACCEPT):debug). This causes the packet to be logged at the
specified level.</para>
<para>If the <emphasis role="bold">ACTION</emphasis> names an
<emphasis>action</emphasis> declared in <ulink
url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
/usr/share/shorewall6/actions.std then:</para>
<itemizedlist>
<listitem>
<para>If the log level is followed by "!' then all rules in the
action are logged at the log level.</para>
</listitem>
<listitem>
<para>If the log level is not followed by "!" then only those
rules in the action that do not specify logging are logged at
the specified level.</para>
</listitem>
<listitem>
<para>The special log level <emphasis
role="bold">none!</emphasis> suppresses logging by the
action.</para>
</listitem>
</itemizedlist>
<para>You may also specify <emphasis role="bold">NFLOG</emphasis>
(must be in upper case) as a log level.This will log to the NFLOG
target for routing to a separate log through use of ulogd (<ulink
url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>
<para>Actions specifying logging may be followed by a log tag (a
string of alphanumeric characters) which is appended to the string
generated by the LOGPREFIX (in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
</listitem>
</varlistentry>
</variablelist>
<para>For the remaining columns, see <ulink
url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>Drop Teredo packets from the net.</para>
<programlisting>DROP net:[2001::/32] all</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>Don't subject packets from 2001:DB8::/64 to the remaining
rules in the file.</para>
<programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall6/blrules</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
<para><ulink
url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>

10
manpages6/shorewall6-rules.xml
View File

@ -43,9 +43,13 @@
<term><emphasis role="bold">BLACKLIST</emphasis></term> <term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem> <listitem>
<para>This section was added in Shorewall 4.4.25. Rules in this <para>This section was added in Shorewall 4.4.25 and is only
section are applied depending on the setting of BLACKLISTNEWONLY in permitted when BLACKLISTSECTION=Yes in <ulink
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>Rules in this section are applied depending on the setting of
BLACKLISTNEWONLY in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the BLACKLISTNEWONLY=No, then they are applied regardless of the
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
they are applied to connections in the NEW and INVALID they are applied to connections in the NEW and INVALID

13
manpages6/shorewall6.conf.xml
View File

@ -308,6 +308,19 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">BLACKLISTSECTION=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.4.26. When omitted or set to Yes,
zone-specific blacklisting rules are placed in the BLACKLIST section
of <ulink url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
When set to No, zone-specific blacklisting rules are place in <ulink
url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis <term><emphasis role="bold">CLAMPMSS=[</emphasis><emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis