From 5c9562c20a42f573c58ef40b2d1658396a84adf7 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 4 Jun 2002 15:08:50 +0000 Subject: [PATCH] Add 'blacklist' command to /sbin/shorewall. Correct 'try' command. Update rfc1918 per Suggestion from Andy Wiggin git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@56 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/rfc1918 | 19 ++++++++++++++----- Shorewall/shorewall | 36 +++++++++++++++++++++--------------- 2 files changed, 35 insertions(+), 20 deletions(-) diff --git a/Shorewall/rfc1918 b/Shorewall/rfc1918 index d2dffb431..0b6532c98 100644 --- a/Shorewall/rfc1918 +++ b/Shorewall/rfc1918 @@ -20,11 +20,20 @@ ############################################################################### #SUBNET TARGET 255.255.255.255 RETURN # We need to allow limited broadcast +169.254.0.0/16 DROP # DHCP autoconfig +172.16.0.0/12 logdrop # RFC 1918 +192.0.2.0/24 logdrop # Example addresses +192.168.0.0/16 logdrop # RFC 1918 +# +# The following are generated using the Python program found at: +# +# http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/ +# 0.0.0.0/7 logdrop # Reserved 2.0.0.0/8 logdrop # Reserved 5.0.0.0/8 logdrop # Reserved 7.0.0.0/8 logdrop # Reserved -10.0.0.0/8 logdrop # RFC 1918 +10.0.0.0/8 logdrop # Reserved 23.0.0.0/8 logdrop # Reserved 27.0.0.0/8 logdrop # Reserved 31.0.0.0/8 logdrop # Reserved @@ -41,11 +50,11 @@ 84.0.0.0/6 logdrop # Reserved 88.0.0.0/5 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved -169.254.0.0/16 DROP # DHCP autoconfig -192.0.2.0/24 logdrop # Example addresses -192.168.0.0/16 logdrop # RFC 1918 -172.16.0.0/12 logdrop # RFC 1918 +197.0.0.0/8 logdrop # Reserved 221.0.0.0/8 logdrop # Reserved 222.0.0.0/7 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved +# +# End of generated entries +# #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall/shorewall b/Shorewall/shorewall index e21668a66..cdb7176ce 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -66,6 +66,10 @@ # standard configuration after that many # seconds have elapsed after successfully # starting the new configuration. +# shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall +# messages. +# shorewall blacklist
... Temporarily blacklist the listed +# address(es) # # Display a chain if it exists # @@ -402,6 +406,7 @@ usage() # $1 = exit status echo " check" echo " try [ ]" echo " logwatch []" + echo " blacklist
..." exit $1 } @@ -449,7 +454,7 @@ while [ $done -eq 0 ]; do esac done -if [ $# -eq 0 ] || [ $# -gt 3 ]; then +if [ $# -eq 0 ]; then usage 1 fi @@ -597,8 +602,11 @@ case "$1" in try) [ -n "$SHOREWALL_DIR" ] && startup_error "Error: -c option may not be used with \"try\"" [ $# -lt 2 -o $# -gt 3 ] && usage 1 - $0 -c $2 restart - if ! iptables -L shorewall > /dev/null 2> /dev/null; then + if ! $0 -c $2 restart; then + if ! iptables -L shorewall > /dev/null 2> /dev/null; then + $0 start + fi + elif ! iptables -L shorewall > /dev/null 2> /dev/null; then $0 start elif [ $# -eq 3 ]; then sleep $3 @@ -614,19 +622,17 @@ case "$1" in usage 1 fi ;; + blacklist) + [ $# -eq 1 ] && usage 1 + mutex_on + while [ $# -gt 1 ]; do + shift + iptables -A blacklst -s $1 -j DROP || break 1 + echo "$1 Temporarily Blacklisted" + done + mutex_off + ;; *) usage 1 ;; esac - - - - - - - - - - - -