holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Implement BLACKLIST section in the rules file

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-10-03 16:02:01 -07:00
parent e09aa8662b
commit 835a056eb8
12 changed files with 434 additions and 228 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -110,6 +110,7 @@ our %EXPORT_TAGS = (
pop_comment
forward_chain
rules_chain
blacklist_chain
zone_forward_chain
use_forward_chain
input_chain
@ -249,6 +250,8 @@ our $VERSION = 'MODULEVERSION';
# logchains => { <key1> = <chainref1>, ... }
# references => { <ref1> => <refs>, <ref2> => <refs>, ... }
# blacklist => <number of blacklist rules at the head of the rules array> ( 0 or 1 )
# blacklistsection
# => Chain was created by entries in the BLACKLIST section of the rules file
# action => <action tuple that generated this chain>
# restricted => Logical OR of restrictions of rules in this chain.
# restriction => Restrictions on further rules in this chain.
@ -256,6 +259,7 @@ our $VERSION = 'MODULEVERSION';
# filtered => Number of filter rules at the front of an interface forward chain
# digest => string representation of the chain's rules for use in optimization
# level 8.
# accepted => A 'ESTABLISHED,RELATED' ACCEPT rule has been added to this chain.
# } ,
# <chain2> => ...
# }
@ -1478,6 +1482,13 @@ sub rules_chain ($$) {
$renamed{$name} || $name;
}
#
# Name of the blacklist chain between an ordered pair of zones
#
sub blacklist_chain($$) {
&rules_chain(@_) . '~';
}
#
# Forward Chain for an interface
#
@ -2234,6 +2245,7 @@ sub initialize_chain_table($) {
'NFQUEUE!' => STANDARD + NFQ,
'ADD' => STANDARD + SET,
'DEL' => STANDARD + SET,
'WHITELIST' => STANDARD
);
for my $chain ( qw(OUTPUT PREROUTING) ) {
@ -2694,7 +2706,11 @@ sub optimize_level8( $$$ ) {
if ( $chainref->{digest} eq $chainref1->{digest} ) {
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
replace_references $chainref1, $chainref->{name}, undef;
$rename{ $chainref->{name} } = 1 unless $chainref->{name} =~ /^~/;
unless ( $chainref->{name} =~ /^~/ ) {
$rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb';
}
$combined{ $chainref1->{name} } = $chainref->{name};
}
}
@ -2707,7 +2723,7 @@ sub optimize_level8( $$$ ) {
# First create aliases for each renamed chain and change the {name} member.
#
for my $oldname ( @rename ) {
my $newname = $renamed{ $oldname } = '~comb' . $chainseq++;
my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
$tableref->{$newname} = $tableref->{$oldname};

62
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -145,7 +145,8 @@ sub initialize( $ ) {
#
# These are set to 1 as sections are encountered.
#
%sections = ( ALL => 0,
%sections = ( BLACKLIST => 0,
ALL => 0,
ESTABLISHED => 0,
RELATED => 0,
NEW => 0
@ -741,10 +742,12 @@ sub ensure_rules_chain( $ )
{
my ($chain) = @_;
my $chainref = ensure_chain 'filter', $chain;
my $chainref = $filter_table->{$chain};
$chainref = dont_move( new_chain( 'filter', $chain ) ) unless $chainref;
unless ( $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) {
if ( $section =~/^(NEW|DONE)$/ ) {
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
} elsif ( $section eq 'RELATED' ) {
finish_chain_section $chainref , 'ESTABLISHED';
@ -765,7 +768,7 @@ sub finish_chain_section ($$) {
push_comment(''); #These rules should not have comments
add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT} || $chainref->{accepted};
if ($sections{NEW} ) {
if ( $chainref->{is_policy} ) {
@ -1671,6 +1674,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
my $inaction = '';
my $normalized_target;
my $normalized_action;
my $blacklist = ( $section eq 'BLACKLIST' );
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
@ -1737,7 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
#
# We can now dispense with the postfix character
#
$action =~ s/[\+\-!]$//;
fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
#
# Handle actions
#
@ -1771,8 +1775,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//;
}
if ( $inaction ) {
$targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY )
if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) {
$targets{$inaction} |= NATRULE if $inaction;
fatal_error "NAT rules are not allowed in the BLACKLIST section" if $blacklist;
}
#
# Take care of irregular syntax and targets
@ -1796,6 +1801,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
} ,
REJECT => sub { $action = 'reject'; } ,
CONTINUE => sub { $action = 'RETURN'; } ,
WHITELIST => sub { fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section" unless $blacklist;
$action = 'RETURN'; } ,
COUNT => sub { $action = ''; } ,
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
);
@ -1921,7 +1928,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
#
# Handle Optimization
#
if ( $optimize > 0 ) {
if ( $optimize > 0 && $section eq 'NEW' ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
if ( $loglevel ne '' ) {
return 0 if $target eq "${policy}:$loglevel}";
@ -1934,9 +1941,32 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
#
$chainref = ensure_rules_chain $chain;
#
# Don't let the rules in this chain be moved elsewhere
# Handle use of the blacklist chain
#
dont_move $chainref;
if ( $blacklist ) {
my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} );
my $blacklistref = $filter_table->{$blacklistchain};
unless ( $blacklistref ) {
my @state;
$blacklistref = dont_move( new_chain( 'filter', $blacklistchain ) );
$blacklistref->{blacklistsection} = 1;
if ( $config{BLACKLISTNEWONLY} ) {
#
# Rather than add a 'NEW,INVALID' state match, we want to
# install the ACCEPT ESTABLISH,RELATED rule in the main chain
#
add_ijump( $chainref, j => 'ACCEPT', state_imatch( 'ESTABLISHED,RELATED' ) );
$chainref->{accepted} = 1;
}
add_ijump( $chainref, j => $blacklistref, @state );
}
$chain = $blacklistchain;
$chainref = $blacklistref;
}
}
}
#
@ -1972,7 +2002,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
unless ( $section eq 'NEW' || $inaction ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
}
#
@ -2264,13 +2294,15 @@ sub process_section ($) {
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
$sections{$sect} = 1;
if ( $sect eq 'ESTABLISHED' ) {
$sections{ALL} = 1;
if ( $sect eq 'ALL' ) {
$sections{BLACKLIST} = 1;
} elsif ( $sect eq 'ESTABLISHED' ) {
$sections{'BLACKLIST','ALL'} = ( 1, 1);
} elsif ( $sect eq 'RELATED' ) {
@sections{'ALL','ESTABLISHED'} = ( 1, 1);
@sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1);
finish_section 'ESTABLISHED';
} elsif ( $sect eq 'NEW' ) {
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
@sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 );
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
}

1
Shorewall/configfiles/rules
View File

@ -9,6 +9,7 @@
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION BLACKLIST
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED

341
docs/blacklisting_support.xml
View File

@ -48,9 +48,10 @@
<section id="Intro">
<title>Introduction</title>
<para>Shorewall supports two different forms of blacklisting; static and
dynamic. The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf
controls the degree of blacklist filtering:</para>
<para>Shorewall supports two different types of blackliisting; rule-based,
static and dynamic. The BLACKLISTNEWONLY option in
/etc/shorewall/shorewall.conf controls the degree of blacklist
filtering:</para>
<orderedlist>
<listitem>
@ -62,10 +63,46 @@
<listitem>
<para>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
new connection requests. Blacklists may not be used to terminate
existing connections. Only the source address is checked against the
blacklists.</para>
existing connections.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Rule-based Blacklisting</title>
<para>Beginning with Shorewall 4.4.25, the preferred method of
blacklisting and whitelisting is to use the BLACKLIST section of the rules
file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST
actions, standard and custom macros as well as standard and custom
actions. See <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
details.</para>
<para>Example:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORTS(S)
SECTION BLACKLIST
WHITELIST net:70.90.191.126 all
DROP net all udp 1023:1033,1434,5948,23773
DROP all net udp 1023:1033
DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
DROP net:221.192.199.48 all
DROP net:61.158.162.9 all
DROP net:81.21.54.100 all tcp 25
DROP net:84.108.168.139 all
DROP net:200.55.14.18 all
</programlisting>
</section>
<section>
<title>Legacy Blacklisting</title>
<para>Prior to 4.4.25, two forms of blacklisting were supported; static
and dynamic. The dynamic variety is still appropriate for
<firstterm>on-the-fly</firstterm> blacklisting; the static form is
deprecated.</para>
<important>
<para><emphasis role="bold">By default, only the source address is
@ -96,191 +133,197 @@
load, and will have a very negative effect on firewall
performance.</para>
</important>
</section>
<section id="Static">
<title>Static Blacklisting</title>
<section id="Static">
<title>Static Blacklisting</title>
<para>Shorewall static blacklisting support has the following
configuration parameters:</para>
<para>Shorewall static blacklisting support has the following
configuration parameters:</para>
<itemizedlist>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
</listitem>
<itemizedlist>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in
<ulink
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
</listitem>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
</listitem>
<listitem>
<para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
</listitem>
<listitem>
<para>You list the IP addresses/subnets that you wish to blacklist in
<ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5). You may also specify PROTOCOL and Port numbers/Service names in
the blacklist file.</para>
</listitem>
<listitem>
<para>You list the IP addresses/subnets that you wish to blacklist
in <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5). You may also specify PROTOCOL and Port numbers/Service names in
the blacklist file.</para>
</listitem>
<listitem>
<para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote>
option in <ulink
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
(<ulink url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
in Shorewall 4.4.12 and later).</para>
</listitem>
</itemizedlist>
<listitem>
<para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote>
option in <ulink
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
(<ulink
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
Shorewall 4.4.12 and later).</para>
</listitem>
</itemizedlist>
<para>Users with a large static black list may want to set the
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections
before loading the blacklist rules. While this may allow connections from
blacklisted hosts to slip by during construction of the blacklist, it can
substantially reduce the time that all new connections are disabled during
"shorewall [re]start".</para>
<para>Prior to Shorewall 4.4.20, only source-address static blacklisting
was supported.</para>
<para>Beginning with Shorewall 2.4.0, you can use <ulink
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
an example:</para>
<para>Users with a large static black list may want to set the
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
connections before loading the blacklist rules. While this may allow
connections from blacklisted hosts to slip by during construction of the
blacklist, it can substantially reduce the time that all new connections
are disabled during "shorewall [re]start".</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
<para>Beginning with Shorewall 2.4.0, you can use <ulink
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
an example:</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst]
+Blacklistnets[src,dst]
+Blacklist[src,dst]
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>In this example, there is a portmap ipset
<emphasis>Blacklistports</emphasis> that blacklists all traffic with
destination ports included in the ipset. There are also
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>) and
<emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>) ipsets
that allow blacklisting networks and individual IP addresses. Note that
[src,dst] is specified so that individual entries in the sets can be bound
to other portmap ipsets to allow blacklisting (<emphasis>source
address</emphasis>, <emphasis>destination port</emphasis>) combinations.
For example:</para>
<para>In this example, there is a portmap ipset
<emphasis>Blacklistports</emphasis> that blacklists all traffic with
destination ports included in the ipset. There are also
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
ipsets that allow blacklisting networks and individual IP addresses.
Note that [src,dst] is specified so that individual entries in the sets
can be bound to other portmap ipsets to allow blacklisting
(<emphasis>source address</emphasis>, <emphasis>destination
port</emphasis>) combinations. For example:</para>
<programlisting>ipset -N SMTP portmap --from 1 --to 31
<programlisting>ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
</section>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
</section>
<section id="whitelisting">
<title>Static Whitelisting</title>
<section id="whitelisting">
<title>Static Whitelisting</title>
<para>Beginning with Shorewall 4.4.20, you can create
<firstterm>whitelist</firstterm> entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against the
entries in the blacklist file that follow. Whitelist entries are created
using the <emphasis role="bold">whitelist</emphasis> option (OPTIONS
column). See <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5).</para>
</section>
<para>Beginning with Shorewall 4.4.20, you can create
<firstterm>whitelist</firstterm> entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against
the entries in the blacklist file that follow. Whitelist entries are
created using the <emphasis role="bold">whitelist</emphasis> option
(OPTIONS column). See <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5).</para>
</section>
<section id="Dynamic">
<title>Dynamic Blacklisting</title>
<section id="Dynamic">
<title>Dynamic Blacklisting</title>
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
Prior to that release, the feature is always enabled.</para>
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
Prior to that release, the feature is always enabled.</para>
<para>Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
<emphasis role="bold">Note</emphasis> that <emphasis
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para>
<para>Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite]
commands. <emphasis role="bold">Note</emphasis> that <emphasis
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para>
<itemizedlist>
<listitem>
<para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<itemizedlist>
<listitem>
<para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be silently dropped
by the firewall.</para>
</listitem>
<listitem>
<para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para>
</listitem>
<listitem>
<para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para>
</listitem>
<listitem>
<para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</para>
<listitem>
<para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</para>
<para><emphasis role="bold">Update:</emphasis> Beginning with
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
<command>stop/start</command> sequences and over
<command>restart</command>.</para>
</listitem>
<para><emphasis role="bold">Update:</emphasis> Beginning with
Shorewall 4.4.10, the dynamic blacklist is automatically retained
over <command>stop/start</command> sequences and over
<command>restart</command>.</para>
</listitem>
<listitem>
<para>show dynamic - displays the dynamic blacklisting
configuration.</para>
</listitem>
<listitem>
<para>show dynamic - displays the dynamic blacklisting
configuration.</para>
</listitem>
<listitem>
<para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be dropped and logged
by the firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
<listitem>
<para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis>
- causes packets from the listed IP addresses to be dropped and
logged by the firewall. Logging will occur at the level specified by
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
<listitem>
<para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
- causes packets from the listed IP addresses to be rejected and
logged by the firewall. Logging will occur at the level specified by
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem>
</itemizedlist>
<listitem>
<para>logreject [to|from}<emphasis>&lt;ip address
list&gt;</emphasis> - causes packets from the listed IP addresses to
be rejected and logged by the firewall. Logging will occur at the
level specified by the BLACKLIST_LOGLEVEL setting at the last
[re]start (logging will be at the 'info' level if no
BLACKLIST_LOGLEVEL was given).</para>
</listitem>
</itemizedlist>
<para>Dynamic blacklisting is not dependent on the
<quote>blacklist</quote> option in
<filename>/etc/shorewall/interfaces</filename>.</para>
<para>Dynamic blacklisting is not dependent on the
<quote>blacklist</quote> option in
<filename>/etc/shorewall/interfaces</filename>.</para>
<example id="Ignore">
<title>Ignore packets from a pair of systems</title>
<example id="Ignore">
<title>Ignore packets from a pair of systems</title>
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
</example>
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
</example>
<example id="Allow">
<title>Re-enable packets from a system</title>
<example id="Allow">
<title>Re-enable packets from a system</title>
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
<para>Re-enables traffic from 192.0.2.125.</para>
</example>
<para>Re-enables traffic from 192.0.2.125.</para>
</example>
<example>
<title>Displaying the Dynamic Blacklist</title>
<example>
<title>Displaying the Dynamic Blacklist</title>
<programlisting> <command>shorewall show dynamic</command></programlisting>
<programlisting> <command>shorewall show dynamic</command></programlisting>
<para>Displays the 'dynamic' chain which contains rules for the dynamic
blacklist. The <firstterm>source</firstterm> column contains the set of
blacklisted addresses.</para>
</example>
<para>Displays the 'dynamic' chain which contains rules for the
dynamic blacklist. The <firstterm>source</firstterm> column contains
the set of blacklisted addresses.</para>
</example>
</section>
</section>
</article>

30
manpages/shorewall-interfaces.xml
View File

@ -228,8 +228,10 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Check packets arriving on this interface against the
<ulink
<para>Deprecated in Shorewall 4.4.25 and later in favor of
rules in the BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5). Checks
packets arriving on this interface against the <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para>
@ -364,8 +366,11 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">maclist</emphasis></term>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
<para>Deprecated in Shorewall 4.4.25 and later in favor of
rules in the BLACKLIST section of <ulink
url="shorewall-blacklist.html">shorewall-rules</ulink> (5).
Connection requests from this interface are compared against
the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para>
@ -414,8 +419,9 @@ loc eth2 -</programlisting>
<term>nosmurfs</term>
<listitem>
<para>Filter packets for smurfs (packets with a broadcast
address as the source).</para>
<para> Deprecated in Shorewall 4.4.25 and later in favor of
the DropSmurfs standard action. Filter packets for smurfs
(packets with a broadcast address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
@ -632,11 +638,13 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
<para>Deprecated in Shorewall 4.4.25 and later in favor of the
TCPFlags standard action. Packets arriving on this interface
are checked for certain illegal combinations of TCP flags.
Packets found to have such a combination of flags are handled
according to the setting of TCP_FLAGS_DISPOSITION after having
been logged according to the setting of
TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>

78
manpages/shorewall-rules.xml
View File

@ -46,11 +46,25 @@
<para>Sections are as follows and must appear in the order listed:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem>
<para>This section was added in Shorewall 4.4.25. Rules in this
section are applied depending on the setting of BLACKLISTNEWONLY in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
they are applied to connections in the NEW and INVALID
states.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ALL</emphasis></term>
<listitem>
<para>This section was added in Shorewall 4.4.23. rules in this
<para>This section was added in Shorewall 4.4.23. Rules in this
section are applied, regardless of the connection tracking state of
the packet.</para>
</listitem>
@ -101,14 +115,15 @@
comfortable with the differences between the various connection tracking
states, then it is suggested that you omit the <emphasis
role="bold">ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections and place all of your rules in
the NEW section (That's after the line that reads SECTION NEW').</para>
role="bold">RELATED</emphasis> sections and place all of your
non-blacklisting rules in the NEW section (That's after the line that
reads SECTION NEW').</para>
</note>
<warning>
<para>If you specify FASTACCEPT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
role="bold">ESTABLISHED</emphasis> and <emphasis
role="bold">BLACKLIST, ALL, ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections must be empty.</para>
</warning>
@ -171,7 +186,8 @@
role="bold">DNAT</emphasis>[<emphasis
role="bold">-</emphasis>] or <emphasis
role="bold">REDIRECT</emphasis>[<emphasis
role="bold">-</emphasis>] rules</para>
role="bold">-</emphasis>] rules. Not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -181,7 +197,9 @@
<listitem>
<para>like ACCEPT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -191,7 +209,9 @@
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
in the kernel and iptables.</para>
in the kernel and iptables. A_ACCEPT+ and A_ACCEPT! are not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -202,7 +222,8 @@
<para>Excludes the connection from any subsequent <emphasis
role="bold">DNAT</emphasis>[-] or <emphasis
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
a rule to accept the traffic.</para>
a rule to accept the traffic. Not available in the <emphasis
role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -220,7 +241,10 @@
<listitem>
<para>like DROP but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section. Not available in the <emphasis
role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -230,7 +254,10 @@
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of DROP and
DROP! respectively. Require AUDIT_TARGET support in the kernel
and iptables.</para>
and iptables. A_DROP! is not available in the <emphasis
role="bold">BLACKLIST</emphasis> section. A_DROP! is not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -249,7 +276,9 @@
<listitem>
<para>like REJECT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -259,7 +288,8 @@
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of REJECT
and REJECT! respectively. Require AUDIT_TARGET support in the
kernel and iptables.</para>
kernel and iptables. A_REJECT! is not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -281,7 +311,8 @@
<para>Like <emphasis role="bold">DNAT</emphasis> but only
generates the <emphasis role="bold">DNAT</emphasis> iptables
rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para>
role="bold">ACCEPT</emphasis> rule. Not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -303,7 +334,8 @@
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only
generates the <emphasis role="bold">REDIRECT</emphasis>
iptables rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para>
role="bold">ACCEPT</emphasis> rule. Not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -331,7 +363,9 @@
<listitem>
<para>like CONTINUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -360,7 +394,9 @@
<listitem>
<para>like QUEUE but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -497,6 +533,16 @@
rule, it is passed on to the next rule.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">WHITELIST</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.25. May only appear in the
<emphasis role="bold">BLACKLIST</emphasis> section and exempts
the packet from following rules in that section.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The <replaceable>target</replaceable> may optionally be

7
manpages/shorewall-zones.xml
View File

@ -207,8 +207,11 @@ c:a,b ipv4</programlisting>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.13. May not be specified for
<emphasis role="bold">firewall</emphasis> or <emphasis
<para>Added in Shorewall 4.4.13. Deprecated in Shorewall
4.4.25 and later in favor of rules in the BLACKLIST section of
<ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
May not be specified for <emphasis
role="bold">firewall</emphasis> or <emphasis
role="bold">vserver</emphasis> zones.</para>
<para>When specified in the IN_OPTIONS column, causes all

22
manpages/shorewall.conf.xml
View File

@ -330,6 +330,10 @@
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para>
<para> The BLACKLIST_DISPOSITION setting has no effect on entries in
the BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
</listitem>
</varlistentry>
@ -343,7 +347,9 @@
logged at. Its value is a syslog level (Example:
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not
logged.</para>
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
the BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
</listitem>
</varlistentry>
@ -354,11 +360,15 @@
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new
connections. When set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, blacklists are consulted for
every packet (will slow down your firewall noticably if you have
large blacklists). If the BLACKLISTNEWONLY option is not set or is
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para>
connections. That includes entries in the BLACKLIST section of
<ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet
(will slow down your firewall noticably if you have large
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
<note>
<para>BLACKLISTNEWONLY=No is incompatible with

19
manpages6/shorewall6-interfaces.xml
View File

@ -120,8 +120,10 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Check packets arriving on this interface against the
<ulink
<para>Deprecated in Shorewall 4.4.25 and later in favor of
rules in the BLACKLIST section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
Check packets arriving on this interface against the <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para>
@ -370,11 +372,14 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">tcpflags</emphasis></term>
<listitem>
<para>Packets arriving on this interface are checked for
certain illegal combinations of TCP flags. Packets found to
have such a combination of flags are handled according to the
setting of TCP_FLAGS_DISPOSITION after having been logged
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
<para>Deprecated in Shorewall 4.4.25 and later in favor of
invoking the TCPFlags standard action in <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
Packets arriving on this interface are checked for certain
illegal combinations of TCP flags. Packets found to have such
a combination of flags are handled according to the setting of
TCP_FLAGS_DISPOSITION after having been logged according to
the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem>
</varlistentry>

47
manpages6/shorewall6-rules.xml
View File

@ -39,6 +39,20 @@
<para>Sections are as follows and must appear in the order listed:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem>
<para>This section was added in Shorewall 4.4.25. Rules in this
section are applied depending on the setting of BLACKLISTNEWONLY in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
they are applied to connections in the NEW and INVALID
states.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ALL</emphasis></term>
@ -157,7 +171,9 @@
<listitem>
<para>like ACCEPT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -167,7 +183,8 @@
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
and ACCEPT! respectively. Require AUDIT_TARGET support in the
kernel and ip6tables.</para>
kernel and ip6tables. A_ACCEPT! is not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -185,7 +202,9 @@
<listitem>
<para>like DROP but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -195,7 +214,8 @@
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of DROP and
DROP! respectively. Require AUDIT_TARGET support in the kernel
and ip6tables.</para>
and ip6tables. A_DROP! is not available in the <emphasis
role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -214,7 +234,9 @@
<listitem>
<para>like REJECT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -224,7 +246,8 @@
<listitem>
<para>Added in Shorewall 4.4.20. Audited versions of REJECT
and REJECT! respectively. Require AUDIT_TARGET support in the
kernel and ip6tables.</para>
kernel and ip6tables. A_REJECT! is not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem>
</varlistentry>
@ -252,7 +275,9 @@
<listitem>
<para>like CONTINUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -281,7 +306,9 @@
<listitem>
<para>like QUEUE but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>
@ -313,7 +340,9 @@
<listitem>
<para>like NFQUEUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem>
</varlistentry>

7
manpages6/shorewall6-zones.xml
View File

@ -205,8 +205,11 @@ c:a,b ipv6</programlisting>
<term><emphasis role="bold">blacklist</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.13. May not be specified for
<emphasis role="bold">firewall</emphasis> or <emphasis
<para>Added in Shorewall 4.4.13. Deprecated in Shorewall
4.4.25 and later in favor of rules in the BLACKLIST section of
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
(5). May not be specified for <emphasis
role="bold">firewall</emphasis> or <emphasis
role="bold">vserver</emphasis> zones.</para>
<para>When specified in the IN_OPTIONS column, causes all

28
manpages6/shorewall6.conf.xml
View File

@ -261,7 +261,10 @@
blacklisted hosts. It may have the value DROP if the packets are to
be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed.</para>
a value or if you assign an empty value then DROP is assumed. The
BLACKLIST_DISPOSITION setting has no effect on entries in the
BLACKLIST section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
</listitem>
</varlistentry>
@ -275,7 +278,9 @@
logged at. Its value is a syslog level (Example:
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not
logged.</para>
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
the BLACKLIST section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
</listitem>
</varlistentry>
@ -286,11 +291,15 @@
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new
connections. When set to <emphasis role="bold">No</emphasis> or
<emphasis role="bold">no</emphasis>, blacklists are consulted for
every packet (will slow down your firewall noticably if you have
large blacklists). If the BLACKLISTNEWONLY option is not set or is
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para>
connections. This includes entries in the BLACKLIST section of
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
(5).</para>
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet
(will slow down your firewall noticably if you have large
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
<note>
<para>BLACKLISTNEWONLY=No is incompatible with
@ -1691,8 +1700,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-nat(5), shorewall6-netmap(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),