Implement BLACKLIST section in the rules file

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-10-03 16:02:01 -07:00
parent e09aa8662b
commit 835a056eb8
12 changed files with 434 additions and 228 deletions

View File

@ -110,6 +110,7 @@ our %EXPORT_TAGS = (
pop_comment pop_comment
forward_chain forward_chain
rules_chain rules_chain
blacklist_chain
zone_forward_chain zone_forward_chain
use_forward_chain use_forward_chain
input_chain input_chain
@ -249,6 +250,8 @@ our $VERSION = 'MODULEVERSION';
# logchains => { <key1> = <chainref1>, ... } # logchains => { <key1> = <chainref1>, ... }
# references => { <ref1> => <refs>, <ref2> => <refs>, ... } # references => { <ref1> => <refs>, <ref2> => <refs>, ... }
# blacklist => <number of blacklist rules at the head of the rules array> ( 0 or 1 ) # blacklist => <number of blacklist rules at the head of the rules array> ( 0 or 1 )
# blacklistsection
# => Chain was created by entries in the BLACKLIST section of the rules file
# action => <action tuple that generated this chain> # action => <action tuple that generated this chain>
# restricted => Logical OR of restrictions of rules in this chain. # restricted => Logical OR of restrictions of rules in this chain.
# restriction => Restrictions on further rules in this chain. # restriction => Restrictions on further rules in this chain.
@ -256,6 +259,7 @@ our $VERSION = 'MODULEVERSION';
# filtered => Number of filter rules at the front of an interface forward chain # filtered => Number of filter rules at the front of an interface forward chain
# digest => string representation of the chain's rules for use in optimization # digest => string representation of the chain's rules for use in optimization
# level 8. # level 8.
# accepted => A 'ESTABLISHED,RELATED' ACCEPT rule has been added to this chain.
# } , # } ,
# <chain2> => ... # <chain2> => ...
# } # }
@ -1478,6 +1482,13 @@ sub rules_chain ($$) {
$renamed{$name} || $name; $renamed{$name} || $name;
} }
#
# Name of the blacklist chain between an ordered pair of zones
#
sub blacklist_chain($$) {
&rules_chain(@_) . '~';
}
# #
# Forward Chain for an interface # Forward Chain for an interface
# #
@ -2234,6 +2245,7 @@ sub initialize_chain_table($) {
'NFQUEUE!' => STANDARD + NFQ, 'NFQUEUE!' => STANDARD + NFQ,
'ADD' => STANDARD + SET, 'ADD' => STANDARD + SET,
'DEL' => STANDARD + SET, 'DEL' => STANDARD + SET,
'WHITELIST' => STANDARD
); );
for my $chain ( qw(OUTPUT PREROUTING) ) { for my $chain ( qw(OUTPUT PREROUTING) ) {
@ -2694,7 +2706,11 @@ sub optimize_level8( $$$ ) {
if ( $chainref->{digest} eq $chainref1->{digest} ) { if ( $chainref->{digest} eq $chainref1->{digest} ) {
progress_message " Chain $chainref1->{name} combined with $chainref->{name}"; progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
replace_references $chainref1, $chainref->{name}, undef; replace_references $chainref1, $chainref->{name}, undef;
$rename{ $chainref->{name} } = 1 unless $chainref->{name} =~ /^~/;
unless ( $chainref->{name} =~ /^~/ ) {
$rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb';
}
$combined{ $chainref1->{name} } = $chainref->{name}; $combined{ $chainref1->{name} } = $chainref->{name};
} }
} }
@ -2707,7 +2723,7 @@ sub optimize_level8( $$$ ) {
# First create aliases for each renamed chain and change the {name} member. # First create aliases for each renamed chain and change the {name} member.
# #
for my $oldname ( @rename ) { for my $oldname ( @rename ) {
my $newname = $renamed{ $oldname } = '~comb' . $chainseq++; my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug; trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
$tableref->{$newname} = $tableref->{$oldname}; $tableref->{$newname} = $tableref->{$oldname};

View File

@ -145,7 +145,8 @@ sub initialize( $ ) {
# #
# These are set to 1 as sections are encountered. # These are set to 1 as sections are encountered.
# #
%sections = ( ALL => 0, %sections = ( BLACKLIST => 0,
ALL => 0,
ESTABLISHED => 0, ESTABLISHED => 0,
RELATED => 0, RELATED => 0,
NEW => 0 NEW => 0
@ -741,10 +742,12 @@ sub ensure_rules_chain( $ )
{ {
my ($chain) = @_; my ($chain) = @_;
my $chainref = ensure_chain 'filter', $chain; my $chainref = $filter_table->{$chain};
$chainref = dont_move( new_chain( 'filter', $chain ) ) unless $chainref;
unless ( $chainref->{referenced} ) { unless ( $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) { if ( $section =~/^(NEW|DONE)$/ ) {
finish_chain_section $chainref , 'ESTABLISHED,RELATED'; finish_chain_section $chainref , 'ESTABLISHED,RELATED';
} elsif ( $section eq 'RELATED' ) { } elsif ( $section eq 'RELATED' ) {
finish_chain_section $chainref , 'ESTABLISHED'; finish_chain_section $chainref , 'ESTABLISHED';
@ -765,7 +768,7 @@ sub finish_chain_section ($$) {
push_comment(''); #These rules should not have comments push_comment(''); #These rules should not have comments
add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT}; add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT} || $chainref->{accepted};
if ($sections{NEW} ) { if ($sections{NEW} ) {
if ( $chainref->{is_policy} ) { if ( $chainref->{is_policy} ) {
@ -1671,6 +1674,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
my $inaction = ''; my $inaction = '';
my $normalized_target; my $normalized_target;
my $normalized_action; my $normalized_action;
my $blacklist = ( $section eq 'BLACKLIST' );
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref; ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
@ -1737,7 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
# #
# We can now dispense with the postfix character # We can now dispense with the postfix character
# #
$action =~ s/[\+\-!]$//; fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
# #
# Handle actions # Handle actions
# #
@ -1771,8 +1775,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//; fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//;
} }
if ( $inaction ) { if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) {
$targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ) $targets{$inaction} |= NATRULE if $inaction;
fatal_error "NAT rules are not allowed in the BLACKLIST section" if $blacklist;
} }
# #
# Take care of irregular syntax and targets # Take care of irregular syntax and targets
@ -1796,6 +1801,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
} , } ,
REJECT => sub { $action = 'reject'; } , REJECT => sub { $action = 'reject'; } ,
CONTINUE => sub { $action = 'RETURN'; } , CONTINUE => sub { $action = 'RETURN'; } ,
WHITELIST => sub { fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section" unless $blacklist;
$action = 'RETURN'; } ,
COUNT => sub { $action = ''; } , COUNT => sub { $action = ''; } ,
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } , LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
); );
@ -1921,7 +1928,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
# #
# Handle Optimization # Handle Optimization
# #
if ( $optimize > 0 ) { if ( $optimize > 0 && $section eq 'NEW' ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel}; my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
if ( $loglevel ne '' ) { if ( $loglevel ne '' ) {
return 0 if $target eq "${policy}:$loglevel}"; return 0 if $target eq "${policy}:$loglevel}";
@ -1934,9 +1941,32 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
# #
$chainref = ensure_rules_chain $chain; $chainref = ensure_rules_chain $chain;
# #
# Don't let the rules in this chain be moved elsewhere # Handle use of the blacklist chain
# #
dont_move $chainref; if ( $blacklist ) {
my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} );
my $blacklistref = $filter_table->{$blacklistchain};
unless ( $blacklistref ) {
my @state;
$blacklistref = dont_move( new_chain( 'filter', $blacklistchain ) );
$blacklistref->{blacklistsection} = 1;
if ( $config{BLACKLISTNEWONLY} ) {
#
# Rather than add a 'NEW,INVALID' state match, we want to
# install the ACCEPT ESTABLISH,RELATED rule in the main chain
#
add_ijump( $chainref, j => 'ACCEPT', state_imatch( 'ESTABLISHED,RELATED' ) );
$chainref->{accepted} = 1;
}
add_ijump( $chainref, j => $blacklistref, @state );
}
$chain = $blacklistchain;
$chainref = $blacklistref;
}
} }
} }
# #
@ -1972,7 +2002,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
unless ( $section eq 'NEW' || $inaction ) { unless ( $section eq 'NEW' || $inaction ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT}; fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT ); fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL'; $rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
} }
# #
@ -2264,13 +2294,15 @@ sub process_section ($) {
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect}; fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
$sections{$sect} = 1; $sections{$sect} = 1;
if ( $sect eq 'ESTABLISHED' ) { if ( $sect eq 'ALL' ) {
$sections{ALL} = 1; $sections{BLACKLIST} = 1;
} elsif ( $sect eq 'ESTABLISHED' ) {
$sections{'BLACKLIST','ALL'} = ( 1, 1);
} elsif ( $sect eq 'RELATED' ) { } elsif ( $sect eq 'RELATED' ) {
@sections{'ALL','ESTABLISHED'} = ( 1, 1); @sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1);
finish_section 'ESTABLISHED'; finish_section 'ESTABLISHED';
} elsif ( $sect eq 'NEW' ) { } elsif ( $sect eq 'NEW' ) {
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 ); @sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 );
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' ); finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
} }

View File

@ -9,6 +9,7 @@
###################################################################################################################################################################################### ######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP
#SECTION BLACKLIST
#SECTION ALL #SECTION ALL
#SECTION ESTABLISHED #SECTION ESTABLISHED
#SECTION RELATED #SECTION RELATED

View File

@ -48,9 +48,10 @@
<section id="Intro"> <section id="Intro">
<title>Introduction</title> <title>Introduction</title>
<para>Shorewall supports two different forms of blacklisting; static and <para>Shorewall supports two different types of blackliisting; rule-based,
dynamic. The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf static and dynamic. The BLACKLISTNEWONLY option in
controls the degree of blacklist filtering:</para> /etc/shorewall/shorewall.conf controls the degree of blacklist
filtering:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -62,10 +63,46 @@
<listitem> <listitem>
<para>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for <para>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
new connection requests. Blacklists may not be used to terminate new connection requests. Blacklists may not be used to terminate
existing connections. Only the source address is checked against the existing connections.</para>
blacklists.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section>
<section>
<title>Rule-based Blacklisting</title>
<para>Beginning with Shorewall 4.4.25, the preferred method of
blacklisting and whitelisting is to use the BLACKLIST section of the rules
file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST
actions, standard and custom macros as well as standard and custom
actions. See <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
details.</para>
<para>Example:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST
# PORTS(S)
SECTION BLACKLIST
WHITELIST net:70.90.191.126 all
DROP net all udp 1023:1033,1434,5948,23773
DROP all net udp 1023:1033
DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
DROP net:221.192.199.48 all
DROP net:61.158.162.9 all
DROP net:81.21.54.100 all tcp 25
DROP net:84.108.168.139 all
DROP net:200.55.14.18 all
</programlisting>
</section>
<section>
<title>Legacy Blacklisting</title>
<para>Prior to 4.4.25, two forms of blacklisting were supported; static
and dynamic. The dynamic variety is still appropriate for
<firstterm>on-the-fly</firstterm> blacklisting; the static form is
deprecated.</para>
<important> <important>
<para><emphasis role="bold">By default, only the source address is <para><emphasis role="bold">By default, only the source address is
@ -96,191 +133,197 @@
load, and will have a very negative effect on firewall load, and will have a very negative effect on firewall
performance.</para> performance.</para>
</important> </important>
</section>
<section id="Static"> <section id="Static">
<title>Static Blacklisting</title> <title>Static Blacklisting</title>
<para>Shorewall static blacklisting support has the following <para>Shorewall static blacklisting support has the following
configuration parameters:</para> configuration parameters:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>You specify whether you want packets from blacklisted hosts <para>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink dropped or rejected using the BLACKLIST_DISPOSITION setting in
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para> <ulink
</listitem> url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
</listitem>
<listitem> <listitem>
<para>You specify whether you want packets from blacklisted hosts <para>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <ulink in <ulink
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para> url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>You list the IP addresses/subnets that you wish to blacklist in <para>You list the IP addresses/subnets that you wish to blacklist
<ulink in <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink> url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5). You may also specify PROTOCOL and Port numbers/Service names in (5). You may also specify PROTOCOL and Port numbers/Service names in
the blacklist file.</para> the blacklist file.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>You specify the interfaces whose incoming packets you want <para>You specify the interfaces whose incoming packets you want
checked against the blacklist using the <quote>blacklist</quote> checked against the blacklist using the <quote>blacklist</quote>
option in <ulink option in <ulink
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5) url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
(<ulink url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) (<ulink
in Shorewall 4.4.12 and later).</para> url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
</listitem> Shorewall 4.4.12 and later).</para>
</itemizedlist> </listitem>
</itemizedlist>
<para>Users with a large static black list may want to set the <para>Prior to Shorewall 4.4.20, only source-address static blacklisting
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version was supported.</para>
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections
before loading the blacklist rules. While this may allow connections from
blacklisted hosts to slip by during construction of the blacklist, it can
substantially reduce the time that all new connections are disabled during
"shorewall [re]start".</para>
<para>Beginning with Shorewall 2.4.0, you can use <ulink <para>Users with a large static black list may want to set the
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
an example:</para> 2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
connections before loading the blacklist rules. While this may allow
connections from blacklisted hosts to slip by during construction of the
blacklist, it can substantially reduce the time that all new connections
are disabled during "shorewall [re]start".</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT <para>Beginning with Shorewall 2.4.0, you can use <ulink
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
an example:</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst] +Blacklistports[dst]
+Blacklistnets[src,dst] +Blacklistnets[src,dst]
+Blacklist[src,dst] +Blacklist[src,dst]
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>In this example, there is a portmap ipset <para>In this example, there is a portmap ipset
<emphasis>Blacklistports</emphasis> that blacklists all traffic with <emphasis>Blacklistports</emphasis> that blacklists all traffic with
destination ports included in the ipset. There are also destination ports included in the ipset. There are also
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>) and <emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
<emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>) ipsets and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
that allow blacklisting networks and individual IP addresses. Note that ipsets that allow blacklisting networks and individual IP addresses.
[src,dst] is specified so that individual entries in the sets can be bound Note that [src,dst] is specified so that individual entries in the sets
to other portmap ipsets to allow blacklisting (<emphasis>source can be bound to other portmap ipsets to allow blacklisting
address</emphasis>, <emphasis>destination port</emphasis>) combinations. (<emphasis>source address</emphasis>, <emphasis>destination
For example:</para> port</emphasis>) combinations. For example:</para>
<programlisting>ipset -N SMTP portmap --from 1 --to 31 <programlisting>ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25 ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177 ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting> ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para> <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
</section> </section>
<section id="whitelisting"> <section id="whitelisting">
<title>Static Whitelisting</title> <title>Static Whitelisting</title>
<para>Beginning with Shorewall 4.4.20, you can create <para>Beginning with Shorewall 4.4.20, you can create
<firstterm>whitelist</firstterm> entries in the blacklist file. <firstterm>whitelist</firstterm> entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against the Connections/packets matching a whitelist entry are not matched against
entries in the blacklist file that follow. Whitelist entries are created the entries in the blacklist file that follow. Whitelist entries are
using the <emphasis role="bold">whitelist</emphasis> option (OPTIONS created using the <emphasis role="bold">whitelist</emphasis> option
column). See <ulink (OPTIONS column). See <ulink
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink> url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
(5).</para> (5).</para>
</section> </section>
<section id="Dynamic"> <section id="Dynamic">
<title>Dynamic Blacklisting</title> <title>Dynamic Blacklisting</title>
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>. setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
Prior to that release, the feature is always enabled.</para> Prior to that release, the feature is always enabled.</para>
<para>Once enabled, dynamic blacklisting doesn't use any configuration <para>Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite] commands. parameters but is rather controlled using /sbin/shorewall[-lite]
<emphasis role="bold">Note</emphasis> that <emphasis commands. <emphasis role="bold">Note</emphasis> that <emphasis
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
later</emphasis>.</para> later</emphasis>.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> - <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be silently dropped by causes packets from the listed IP addresses to be silently dropped
the firewall.</para> by the firewall.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> - <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
causes packets from the listed IP addresses to be rejected by the causes packets from the listed IP addresses to be rejected by the
firewall.</para> firewall.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> - <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
re-enables receipt of packets from hosts previously blacklisted by a re-enables receipt of packets from hosts previously blacklisted by a
<emphasis>drop</emphasis> or <emphasis>reject</emphasis> <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
command.</para> command.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>save - save the dynamic blacklisting configuration so that it <para>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is will be automatically restored the next time that the firewall is
restarted.</para> restarted.</para>
<para><emphasis role="bold">Update:</emphasis> Beginning with <para><emphasis role="bold">Update:</emphasis> Beginning with
Shorewall 4.4.10, the dynamic blacklist is automatically retained over Shorewall 4.4.10, the dynamic blacklist is automatically retained
<command>stop/start</command> sequences and over over <command>stop/start</command> sequences and over
<command>restart</command>.</para> <command>restart</command>.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>show dynamic - displays the dynamic blacklisting <para>show dynamic - displays the dynamic blacklisting
configuration.</para> configuration.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> - <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis>
causes packets from the listed IP addresses to be dropped and logged - causes packets from the listed IP addresses to be dropped and
by the firewall. Logging will occur at the level specified by the logged by the firewall. Logging will occur at the level specified by
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para> be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
</listitem> </listitem>
<listitem> <listitem>
<para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis> <para>logreject [to|from}<emphasis>&lt;ip address
- causes packets from the listed IP addresses to be rejected and list&gt;</emphasis> - causes packets from the listed IP addresses to
logged by the firewall. Logging will occur at the level specified by be rejected and logged by the firewall. Logging will occur at the
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be level specified by the BLACKLIST_LOGLEVEL setting at the last
at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para> [re]start (logging will be at the 'info' level if no
</listitem> BLACKLIST_LOGLEVEL was given).</para>
</itemizedlist> </listitem>
</itemizedlist>
<para>Dynamic blacklisting is not dependent on the <para>Dynamic blacklisting is not dependent on the
<quote>blacklist</quote> option in <quote>blacklist</quote> option in
<filename>/etc/shorewall/interfaces</filename>.</para> <filename>/etc/shorewall/interfaces</filename>.</para>
<example id="Ignore"> <example id="Ignore">
<title>Ignore packets from a pair of systems</title> <title>Ignore packets from a pair of systems</title>
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting> <programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para> <para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
</example> </example>
<example id="Allow"> <example id="Allow">
<title>Re-enable packets from a system</title> <title>Re-enable packets from a system</title>
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting> <programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
<para>Re-enables traffic from 192.0.2.125.</para> <para>Re-enables traffic from 192.0.2.125.</para>
</example> </example>
<example> <example>
<title>Displaying the Dynamic Blacklist</title> <title>Displaying the Dynamic Blacklist</title>
<programlisting> <command>shorewall show dynamic</command></programlisting> <programlisting> <command>shorewall show dynamic</command></programlisting>
<para>Displays the 'dynamic' chain which contains rules for the dynamic <para>Displays the 'dynamic' chain which contains rules for the
blacklist. The <firstterm>source</firstterm> column contains the set of dynamic blacklist. The <firstterm>source</firstterm> column contains
blacklisted addresses.</para> the set of blacklisted addresses.</para>
</example> </example>
</section>
</section> </section>
</article> </article>

View File

@ -228,8 +228,10 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis role="bold">blacklist</emphasis></term>
<listitem> <listitem>
<para>Check packets arriving on this interface against the <para>Deprecated in Shorewall 4.4.25 and later in favor of
<ulink rules in the BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5). Checks
packets arriving on this interface against the <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5) url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para> file.</para>
@ -364,8 +366,11 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">maclist</emphasis></term> <term><emphasis role="bold">maclist</emphasis></term>
<listitem> <listitem>
<para>Connection requests from this interface are compared <para>Deprecated in Shorewall 4.4.25 and later in favor of
against the contents of <ulink rules in the BLACKLIST section of <ulink
url="shorewall-blacklist.html">shorewall-rules</ulink> (5).
Connection requests from this interface are compared against
the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an ethernet this option is specified, the interface must be an ethernet
NIC and must be up before Shorewall is started.</para> NIC and must be up before Shorewall is started.</para>
@ -414,8 +419,9 @@ loc eth2 -</programlisting>
<term>nosmurfs</term> <term>nosmurfs</term>
<listitem> <listitem>
<para>Filter packets for smurfs (packets with a broadcast <para> Deprecated in Shorewall 4.4.25 and later in favor of
address as the source).</para> the DropSmurfs standard action. Filter packets for smurfs
(packets with a broadcast address as the source).</para>
<para>Smurfs will be optionally logged based on the setting of <para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink SMURF_LOG_LEVEL in <ulink
@ -632,11 +638,13 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">tcpflags</emphasis></term> <term><emphasis role="bold">tcpflags</emphasis></term>
<listitem> <listitem>
<para>Packets arriving on this interface are checked for <para>Deprecated in Shorewall 4.4.25 and later in favor of the
certain illegal combinations of TCP flags. Packets found to TCPFlags standard action. Packets arriving on this interface
have such a combination of flags are handled according to the are checked for certain illegal combinations of TCP flags.
setting of TCP_FLAGS_DISPOSITION after having been logged Packets found to have such a combination of flags are handled
according to the setting of TCP_FLAGS_LOG_LEVEL.</para> according to the setting of TCP_FLAGS_DISPOSITION after having
been logged according to the setting of
TCP_FLAGS_LOG_LEVEL.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -46,11 +46,25 @@
<para>Sections are as follows and must appear in the order listed:</para> <para>Sections are as follows and must appear in the order listed:</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem>
<para>This section was added in Shorewall 4.4.25. Rules in this
section are applied depending on the setting of BLACKLISTNEWONLY in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
they are applied to connections in the NEW and INVALID
states.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ALL</emphasis></term> <term><emphasis role="bold">ALL</emphasis></term>
<listitem> <listitem>
<para>This section was added in Shorewall 4.4.23. rules in this <para>This section was added in Shorewall 4.4.23. Rules in this
section are applied, regardless of the connection tracking state of section are applied, regardless of the connection tracking state of
the packet.</para> the packet.</para>
</listitem> </listitem>
@ -101,14 +115,15 @@
comfortable with the differences between the various connection tracking comfortable with the differences between the various connection tracking
states, then it is suggested that you omit the <emphasis states, then it is suggested that you omit the <emphasis
role="bold">ESTABLISHED</emphasis> and <emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections and place all of your rules in role="bold">RELATED</emphasis> sections and place all of your
the NEW section (That's after the line that reads SECTION NEW').</para> non-blacklisting rules in the NEW section (That's after the line that
reads SECTION NEW').</para>
</note> </note>
<warning> <warning>
<para>If you specify FASTACCEPT=Yes in <ulink <para>If you specify FASTACCEPT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
role="bold">ESTABLISHED</emphasis> and <emphasis role="bold">BLACKLIST, ALL, ESTABLISHED</emphasis> and <emphasis
role="bold">RELATED</emphasis> sections must be empty.</para> role="bold">RELATED</emphasis> sections must be empty.</para>
</warning> </warning>
@ -171,7 +186,8 @@
role="bold">DNAT</emphasis>[<emphasis role="bold">DNAT</emphasis>[<emphasis
role="bold">-</emphasis>] or <emphasis role="bold">-</emphasis>] or <emphasis
role="bold">REDIRECT</emphasis>[<emphasis role="bold">REDIRECT</emphasis>[<emphasis
role="bold">-</emphasis>] rules</para> role="bold">-</emphasis>] rules. Not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -181,7 +197,9 @@
<listitem> <listitem>
<para>like ACCEPT but exempts the rule from being suppressed <para>like ACCEPT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -191,7 +209,9 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT, <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
in the kernel and iptables.</para> in the kernel and iptables. A_ACCEPT+ and A_ACCEPT! are not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -202,7 +222,8 @@
<para>Excludes the connection from any subsequent <emphasis <para>Excludes the connection from any subsequent <emphasis
role="bold">DNAT</emphasis>[-] or <emphasis role="bold">DNAT</emphasis>[-] or <emphasis
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
a rule to accept the traffic.</para> a rule to accept the traffic. Not available in the <emphasis
role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -220,7 +241,10 @@
<listitem> <listitem>
<para>like DROP but exempts the rule from being suppressed by <para>like DROP but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section. Not available in the <emphasis
role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -230,7 +254,10 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Audited versions of DROP and <para>Added in Shorewall 4.4.20. Audited versions of DROP and
DROP! respectively. Require AUDIT_TARGET support in the kernel DROP! respectively. Require AUDIT_TARGET support in the kernel
and iptables.</para> and iptables. A_DROP! is not available in the <emphasis
role="bold">BLACKLIST</emphasis> section. A_DROP! is not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -249,7 +276,9 @@
<listitem> <listitem>
<para>like REJECT but exempts the rule from being suppressed <para>like REJECT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -259,7 +288,8 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Audited versions of REJECT <para>Added in Shorewall 4.4.20. Audited versions of REJECT
and REJECT! respectively. Require AUDIT_TARGET support in the and REJECT! respectively. Require AUDIT_TARGET support in the
kernel and iptables.</para> kernel and iptables. A_REJECT! is not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -281,7 +311,8 @@
<para>Like <emphasis role="bold">DNAT</emphasis> but only <para>Like <emphasis role="bold">DNAT</emphasis> but only
generates the <emphasis role="bold">DNAT</emphasis> iptables generates the <emphasis role="bold">DNAT</emphasis> iptables
rule and not the companion <emphasis rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para> role="bold">ACCEPT</emphasis> rule. Not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -303,7 +334,8 @@
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
generates the <emphasis role="bold">REDIRECT</emphasis> generates the <emphasis role="bold">REDIRECT</emphasis>
iptables rule and not the companion <emphasis iptables rule and not the companion <emphasis
role="bold">ACCEPT</emphasis> rule.</para> role="bold">ACCEPT</emphasis> rule. Not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -331,7 +363,9 @@
<listitem> <listitem>
<para>like CONTINUE but exempts the rule from being suppressed <para>like CONTINUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -360,7 +394,9 @@
<listitem> <listitem>
<para>like QUEUE but exempts the rule from being suppressed by <para>like QUEUE but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink OPTIMIZE=1 in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -497,6 +533,16 @@
rule, it is passed on to the next rule.</para> rule, it is passed on to the next rule.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">WHITELIST</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.25. May only appear in the
<emphasis role="bold">BLACKLIST</emphasis> section and exempts
the packet from following rules in that section.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
<para>The <replaceable>target</replaceable> may optionally be <para>The <replaceable>target</replaceable> may optionally be

View File

@ -207,8 +207,11 @@ c:a,b ipv4</programlisting>
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis role="bold">blacklist</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.13. May not be specified for <para>Added in Shorewall 4.4.13. Deprecated in Shorewall
<emphasis role="bold">firewall</emphasis> or <emphasis 4.4.25 and later in favor of rules in the BLACKLIST section of
<ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
May not be specified for <emphasis
role="bold">firewall</emphasis> or <emphasis
role="bold">vserver</emphasis> zones.</para> role="bold">vserver</emphasis> zones.</para>
<para>When specified in the IN_OPTIONS column, causes all <para>When specified in the IN_OPTIONS column, causes all

View File

@ -330,6 +330,10 @@
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
respectively and were added in Shorewall 4.4.20. They require respectively and were added in Shorewall 4.4.20. They require
AUDIT_TARGET in the kernel and iptables.</para> AUDIT_TARGET in the kernel and iptables.</para>
<para> The BLACKLIST_DISPOSITION setting has no effect on entries in
the BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -343,7 +347,9 @@
logged at. Its value is a syslog level (Example: logged at. Its value is a syslog level (Example:
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not assign an empty value then packets from blacklisted hosts are not
logged.</para> logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
the BLACKLIST section of <ulink
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -354,11 +360,15 @@
<listitem> <listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new role="bold">yes</emphasis>, blacklists are only consulted for new
connections. When set to <emphasis role="bold">No</emphasis> or connections. That includes entries in the BLACKLIST section of
<emphasis role="bold">no</emphasis>, blacklists are consulted for <ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
every packet (will slow down your firewall noticably if you have </para>
large blacklists). If the BLACKLISTNEWONLY option is not set or is
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para> <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet
(will slow down your firewall noticably if you have large
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
<note> <note>
<para>BLACKLISTNEWONLY=No is incompatible with <para>BLACKLISTNEWONLY=No is incompatible with

View File

@ -120,8 +120,10 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis role="bold">blacklist</emphasis></term>
<listitem> <listitem>
<para>Check packets arriving on this interface against the <para>Deprecated in Shorewall 4.4.25 and later in favor of
<ulink rules in the BLACKLIST section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
Check packets arriving on this interface against the <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5) url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
file.</para> file.</para>
@ -370,11 +372,14 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">tcpflags</emphasis></term> <term><emphasis role="bold">tcpflags</emphasis></term>
<listitem> <listitem>
<para>Packets arriving on this interface are checked for <para>Deprecated in Shorewall 4.4.25 and later in favor of
certain illegal combinations of TCP flags. Packets found to invoking the TCPFlags standard action in <ulink
have such a combination of flags are handled according to the url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
setting of TCP_FLAGS_DISPOSITION after having been logged Packets arriving on this interface are checked for certain
according to the setting of TCP_FLAGS_LOG_LEVEL.</para> illegal combinations of TCP flags. Packets found to have such
a combination of flags are handled according to the setting of
TCP_FLAGS_DISPOSITION after having been logged according to
the setting of TCP_FLAGS_LOG_LEVEL.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -39,6 +39,20 @@
<para>Sections are as follows and must appear in the order listed:</para> <para>Sections are as follows and must appear in the order listed:</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">BLACKLIST</emphasis></term>
<listitem>
<para>This section was added in Shorewall 4.4.25. Rules in this
section are applied depending on the setting of BLACKLISTNEWONLY in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If
BLACKLISTNEWONLY=No, then they are applied regardless of the
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
they are applied to connections in the NEW and INVALID
states.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">ALL</emphasis></term> <term><emphasis role="bold">ALL</emphasis></term>
@ -157,7 +171,9 @@
<listitem> <listitem>
<para>like ACCEPT but exempts the rule from being suppressed <para>like ACCEPT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -167,7 +183,8 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
and ACCEPT! respectively. Require AUDIT_TARGET support in the and ACCEPT! respectively. Require AUDIT_TARGET support in the
kernel and ip6tables.</para> kernel and ip6tables. A_ACCEPT! is not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -185,7 +202,9 @@
<listitem> <listitem>
<para>like DROP but exempts the rule from being suppressed by <para>like DROP but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -195,7 +214,8 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Audited versions of DROP and <para>Added in Shorewall 4.4.20. Audited versions of DROP and
DROP! respectively. Require AUDIT_TARGET support in the kernel DROP! respectively. Require AUDIT_TARGET support in the kernel
and ip6tables.</para> and ip6tables. A_DROP! is not available in the <emphasis
role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -214,7 +234,9 @@
<listitem> <listitem>
<para>like REJECT but exempts the rule from being suppressed <para>like REJECT but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -224,7 +246,8 @@
<listitem> <listitem>
<para>Added in Shorewall 4.4.20. Audited versions of REJECT <para>Added in Shorewall 4.4.20. Audited versions of REJECT
and REJECT! respectively. Require AUDIT_TARGET support in the and REJECT! respectively. Require AUDIT_TARGET support in the
kernel and ip6tables.</para> kernel and ip6tables. A_REJECT! is not available in the
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -252,7 +275,9 @@
<listitem> <listitem>
<para>like CONTINUE but exempts the rule from being suppressed <para>like CONTINUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -281,7 +306,9 @@
<listitem> <listitem>
<para>like QUEUE but exempts the rule from being suppressed by <para>like QUEUE but exempts the rule from being suppressed by
OPTIMIZE=1 in <ulink OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -313,7 +340,9 @@
<listitem> <listitem>
<para>like NFQUEUE but exempts the rule from being suppressed <para>like NFQUEUE but exempts the rule from being suppressed
by OPTIMIZE=1 in <ulink by OPTIMIZE=1 in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
available in the <emphasis role="bold">BLACKLIST</emphasis>
section.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -205,8 +205,11 @@ c:a,b ipv6</programlisting>
<term><emphasis role="bold">blacklist</emphasis></term> <term><emphasis role="bold">blacklist</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.13. May not be specified for <para>Added in Shorewall 4.4.13. Deprecated in Shorewall
<emphasis role="bold">firewall</emphasis> or <emphasis 4.4.25 and later in favor of rules in the BLACKLIST section of
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
(5). May not be specified for <emphasis
role="bold">firewall</emphasis> or <emphasis
role="bold">vserver</emphasis> zones.</para> role="bold">vserver</emphasis> zones.</para>
<para>When specified in the IN_OPTIONS column, causes all <para>When specified in the IN_OPTIONS column, causes all

View File

@ -261,7 +261,10 @@
blacklisted hosts. It may have the value DROP if the packets are to blacklisted hosts. It may have the value DROP if the packets are to
be dropped or REJECT if the packets are to be replied with an ICMP be dropped or REJECT if the packets are to be replied with an ICMP
port unreachable reply or a TCP RST (tcp only). If you do not assign port unreachable reply or a TCP RST (tcp only). If you do not assign
a value or if you assign an empty value then DROP is assumed.</para> a value or if you assign an empty value then DROP is assumed. The
BLACKLIST_DISPOSITION setting has no effect on entries in the
BLACKLIST section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -275,7 +278,9 @@
logged at. Its value is a syslog level (Example: logged at. Its value is a syslog level (Example:
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
assign an empty value then packets from blacklisted hosts are not assign an empty value then packets from blacklisted hosts are not
logged.</para> logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
the BLACKLIST section of <ulink
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -286,11 +291,15 @@
<listitem> <listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, blacklists are only consulted for new role="bold">yes</emphasis>, blacklists are only consulted for new
connections. When set to <emphasis role="bold">No</emphasis> or connections. This includes entries in the BLACKLIST section of
<emphasis role="bold">no</emphasis>, blacklists are consulted for <ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
every packet (will slow down your firewall noticably if you have (5).</para>
large blacklists). If the BLACKLISTNEWONLY option is not set or is
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para> <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
role="bold">no</emphasis>, blacklists are consulted for every packet
(will slow down your firewall noticably if you have large
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
<note> <note>
<para>BLACKLISTNEWONLY=No is incompatible with <para>BLACKLISTNEWONLY=No is incompatible with
@ -1691,8 +1700,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5), shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-nat(5), shorewall6-netmap(5),
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5),
shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),