holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Convert blacklisting_support.htm to Docbook XML

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@978 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-26 19:27:27 +00:00
parent 01e6e315e0
commit 3f3e59f0ed
2 changed files with 156 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
Shorewall-docs/blacklisting_support.htm
View File

@ -1,91 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
</head>
<body>
<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
</h1>
<p>Shorewall supports two different forms of blacklisting; static and
dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
option in /etc/shorewall/shorewall.conf controls the degree of
blacklist filtering:<br>
</p>
<ol>
<li>BLACKLISTNEWONLY=No --&nbsp; All incoming packets are checked
against the blacklist. New blacklist entries can be used to terminate
existing connections. Versions of Shorewall prior to 1.4.8 behave in
this manner.<br>
</li>
<li>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new
connection requests. Blacklists may not be used to terminate existing
connections.</li>
</ol>
Only the source address is checked against the blacklists.<br>
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following
configuration
parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts
dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and
Port numbers/Service names in the blacklist file.<br>
</li>
<li>You specify the interfaces whose incoming packets you want
checked against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in
/etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn't use any configuration parameters but is rather
controlled using /sbin/shorewall commands:</p>
<ul>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of
packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
in /etc/shorewall/interfaces.<br>
<p>Example 1:</p>
<pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and
192.0.2.125</p>
<p>Example 2:</p>
<pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 11/14/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

156
Shorewall-docs/blacklisting_support.xml Normal file
View File

@ -0,0 +1,156 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<articleinfo>
<title>Shorewall Blacklisting Support</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-11-14</pubdate>
<copyright>
<year>2002-2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>Introduction</title>
<para>Shorewall supports two different forms of blacklisting; static and
dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
option in /etc/shorewall/shorewall.conf controls the degree of blacklist
filtering:</para>
<orderedlist>
<listitem>
<para>BLACKLISTNEWONLY=No --&#x00A0; All incoming packets are checked
against the blacklist. New blacklist entries can be used to terminate
existing connections. Versions of Shorewall prior to 1.4.8 behave in
this manner.</para>
</listitem>
<listitem>
<para>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
new connection requests. Blacklists may not be used to terminate
existing connections. Only the source address is checked against the
blacklists.</para>
</listitem>
</orderedlist>
<para>Only the source address is checked against the blacklists.</para>
</section>
<section>
<title>Static Blacklisting</title>
<para>Shorewall static blacklisting support has the following
configuration parameters:</para>
<itemizedlist>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
url="Documentation.htm#Config">/etc/shorewall/shorewall.conf.</ulink></para>
</listitem>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink url="Documentation.htm#Config">/etc/shorewall/shorewall.conf</ulink>.</para>
</listitem>
<listitem>
<para>You list the IP addresses/subnets that you wish to blacklist in
<ulink url="Documentation.htm#Blacklist">/etc/shorewall/blacklist</ulink>.
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and Port numbers/Service names in the blacklist file.</para>
</listitem>
<listitem>
<para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the &#34;blacklist&#34; option in
<ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
</listitem>
<listitem>
<para>The black list is refreshed from /etc/shorewall/blacklist by the
&#34;<ulink url="starting_and_stopping_shorewall.htm">shorewall
refresh</ulink>&#34; command.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Dynamic Blacklisting</title>
<para>Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn&#39;t use any configuration parameters but is rather
controlled using /sbin/shorewall commands:</para>
<itemizedlist>
<listitem>
<para>drop <emphasis>&#60;ip address list&#62;</emphasis> - causes
packets from the listed IP addresses to be silently dropped by the
firewall.</para>
</listitem>
<listitem>
<para>reject <emphasis>&#60;ip address list&#62;</emphasis> - causes
packets from the listed IP addresses to be rejected by the firewall.</para>
</listitem>
<listitem>
<para>allow <emphasis>&#60;ip address list&#62;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis> command.</para>
</listitem>
<listitem>
<para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</para>
</listitem>
<listitem>
<para>show dynamic - displays the dynamic blacklisting configuration.</para>
</listitem>
</itemizedlist>
<para>Dynamic blacklisting is not dependent on the &#34;blacklist&#34;
option in /etc/shorewall/interfaces.</para>
<example>
<title>Ingore packets from a pair if systems</title>
<programlisting> shorewall drop 192.0.2.124 192.0.2.125</programlisting>
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
</example>
<example>
<title>Re-enable packetes from a system</title>
<programlisting> shorewall allow 192.0.2.125</programlisting>
<para>Re-enables traffic from 192.0.2.125.</para>
</example>
</section>
</article>