Add 'blacklist' command to /sbin/shorewall.

Correct 'try' command. Update rfc1918 per Suggestion from Andy Wiggin git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@56 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2002-06-04 15:08:50 +00:00 · 2002-06-04 15:08:50 +00:00 · 5c9562c20a
commit 5c9562c20a
parent e8c2fb53dc
2 changed files with 35 additions and 20 deletions
--- a/Shorewall/rfc1918
+++ b/Shorewall/rfc1918
@ -20,11 +20,20 @@
 ###############################################################################
 #SUBNET			TARGET
 255.255.255.255		RETURN		# We need to allow limited broadcast
+169.254.0.0/16		DROP		# DHCP autoconfig
+172.16.0.0/12		logdrop		# RFC 1918
+192.0.2.0/24		logdrop		# Example addresses
+192.168.0.0/16		logdrop		# RFC 1918
+#
+# The following are generated using the Python program found at:
+#
+#	http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
+#
 0.0.0.0/7		logdrop		# Reserved
 2.0.0.0/8		logdrop		# Reserved
 5.0.0.0/8		logdrop		# Reserved
 7.0.0.0/8		logdrop		# Reserved
-10.0.0.0/8		logdrop		# RFC 1918
+10.0.0.0/8		logdrop		# Reserved
 23.0.0.0/8		logdrop		# Reserved
 27.0.0.0/8		logdrop		# Reserved
 31.0.0.0/8		logdrop		# Reserved
@ -41,11 +50,11 @@
 84.0.0.0/6		logdrop		# Reserved
 88.0.0.0/5		logdrop		# Reserved
 96.0.0.0/3		logdrop		# Reserved
-169.254.0.0/16		DROP		# DHCP autoconfig
-192.0.2.0/24		logdrop		# Example addresses
-192.168.0.0/16		logdrop		# RFC 1918
-172.16.0.0/12		logdrop		# RFC 1918
+197.0.0.0/8		logdrop		# Reserved
 221.0.0.0/8		logdrop		# Reserved
 222.0.0.0/7		logdrop		# Reserved
 240.0.0.0/4		logdrop		# Reserved
+#
+# End of generated entries
+#
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -66,6 +66,10 @@
 #						   standard configuration after that many
 #						   seconds have elapsed after successfully
 #						   starting the new configuration.
+#	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
+#						   messages.
+#	   shorewall blacklist <address> ...       Temporarily blacklist the listed
+#						   address(es)
 #
 # Display a chain if it exists
 #
@ -402,6 +406,7 @@ usage() # $1 = exit status
    echo "   check"
    echo "   try <directory> [ <timeout> ]"
    echo "   logwatch [<refresh interval>]"
+    echo "   blacklist <address> ..."
    exit $1
 }

@ -449,7 +454,7 @@ while [ $done -eq 0 ]; do
    esac
 done

-if [ $# -eq 0 ] || [ $# -gt 3 ]; then
+if [ $# -eq 0 ]; then
    usage 1
 fi

@ -597,8 +602,11 @@ case "$1" in
    try)
 	[ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\""
 	[ $# -lt 2 -o $# -gt 3 ] && usage 1
-	$0 -c $2 restart
-	if ! iptables -L shorewall > /dev/null 2> /dev/null; then
+	if ! $0 -c $2 restart; then
+	    if ! iptables -L shorewall > /dev/null 2> /dev/null; then
+		$0 start
+	    fi
+	elif ! iptables -L shorewall > /dev/null 2> /dev/null; then
 	    $0 start
 	elif [ $# -eq 3 ]; then
 	    sleep $3
@ -614,19 +622,17 @@ case "$1" in
 	    usage 1
 	fi
        ;;
+    blacklist)
+    	[ $# -eq 1 ] && usage 1
+	mutex_on
+	while [ $# -gt 1 ]; do
+	    shift
+	    iptables -A blacklst -s $1 -j DROP || break 1
+	    echo "$1 Temporarily Blacklisted"
+	done
+	mutex_off
+	;;
    *)
 	usage 1
 	;;
 esac 
-
-
-
-
-
-
-
-
-
-
-
-