forked from extern/shorewall_code
Implement BLACKLIST section in the rules file
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
e09aa8662b
commit
835a056eb8
@ -110,6 +110,7 @@ our %EXPORT_TAGS = (
|
||||
pop_comment
|
||||
forward_chain
|
||||
rules_chain
|
||||
blacklist_chain
|
||||
zone_forward_chain
|
||||
use_forward_chain
|
||||
input_chain
|
||||
@ -249,6 +250,8 @@ our $VERSION = 'MODULEVERSION';
|
||||
# logchains => { <key1> = <chainref1>, ... }
|
||||
# references => { <ref1> => <refs>, <ref2> => <refs>, ... }
|
||||
# blacklist => <number of blacklist rules at the head of the rules array> ( 0 or 1 )
|
||||
# blacklistsection
|
||||
# => Chain was created by entries in the BLACKLIST section of the rules file
|
||||
# action => <action tuple that generated this chain>
|
||||
# restricted => Logical OR of restrictions of rules in this chain.
|
||||
# restriction => Restrictions on further rules in this chain.
|
||||
@ -256,6 +259,7 @@ our $VERSION = 'MODULEVERSION';
|
||||
# filtered => Number of filter rules at the front of an interface forward chain
|
||||
# digest => string representation of the chain's rules for use in optimization
|
||||
# level 8.
|
||||
# accepted => A 'ESTABLISHED,RELATED' ACCEPT rule has been added to this chain.
|
||||
# } ,
|
||||
# <chain2> => ...
|
||||
# }
|
||||
@ -1478,6 +1482,13 @@ sub rules_chain ($$) {
|
||||
$renamed{$name} || $name;
|
||||
}
|
||||
|
||||
#
|
||||
# Name of the blacklist chain between an ordered pair of zones
|
||||
#
|
||||
sub blacklist_chain($$) {
|
||||
&rules_chain(@_) . '~';
|
||||
}
|
||||
|
||||
#
|
||||
# Forward Chain for an interface
|
||||
#
|
||||
@ -2234,6 +2245,7 @@ sub initialize_chain_table($) {
|
||||
'NFQUEUE!' => STANDARD + NFQ,
|
||||
'ADD' => STANDARD + SET,
|
||||
'DEL' => STANDARD + SET,
|
||||
'WHITELIST' => STANDARD
|
||||
);
|
||||
|
||||
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
||||
@ -2694,7 +2706,11 @@ sub optimize_level8( $$$ ) {
|
||||
if ( $chainref->{digest} eq $chainref1->{digest} ) {
|
||||
progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
|
||||
replace_references $chainref1, $chainref->{name}, undef;
|
||||
$rename{ $chainref->{name} } = 1 unless $chainref->{name} =~ /^~/;
|
||||
|
||||
unless ( $chainref->{name} =~ /^~/ ) {
|
||||
$rename{ $chainref->{name} } = $chainref->{blacklistsection} ? '~blacklist' : '~comb';
|
||||
}
|
||||
|
||||
$combined{ $chainref1->{name} } = $chainref->{name};
|
||||
}
|
||||
}
|
||||
@ -2707,7 +2723,7 @@ sub optimize_level8( $$$ ) {
|
||||
# First create aliases for each renamed chain and change the {name} member.
|
||||
#
|
||||
for my $oldname ( @rename ) {
|
||||
my $newname = $renamed{ $oldname } = '~comb' . $chainseq++;
|
||||
my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
|
||||
|
||||
trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
|
||||
$tableref->{$newname} = $tableref->{$oldname};
|
||||
|
@ -145,7 +145,8 @@ sub initialize( $ ) {
|
||||
#
|
||||
# These are set to 1 as sections are encountered.
|
||||
#
|
||||
%sections = ( ALL => 0,
|
||||
%sections = ( BLACKLIST => 0,
|
||||
ALL => 0,
|
||||
ESTABLISHED => 0,
|
||||
RELATED => 0,
|
||||
NEW => 0
|
||||
@ -741,10 +742,12 @@ sub ensure_rules_chain( $ )
|
||||
{
|
||||
my ($chain) = @_;
|
||||
|
||||
my $chainref = ensure_chain 'filter', $chain;
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
$chainref = dont_move( new_chain( 'filter', $chain ) ) unless $chainref;
|
||||
|
||||
unless ( $chainref->{referenced} ) {
|
||||
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
||||
if ( $section =~/^(NEW|DONE)$/ ) {
|
||||
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
|
||||
} elsif ( $section eq 'RELATED' ) {
|
||||
finish_chain_section $chainref , 'ESTABLISHED';
|
||||
@ -765,7 +768,7 @@ sub finish_chain_section ($$) {
|
||||
|
||||
push_comment(''); #These rules should not have comments
|
||||
|
||||
add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
|
||||
add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT} || $chainref->{accepted};
|
||||
|
||||
if ($sections{NEW} ) {
|
||||
if ( $chainref->{is_policy} ) {
|
||||
@ -1671,6 +1674,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
my $inaction = '';
|
||||
my $normalized_target;
|
||||
my $normalized_action;
|
||||
my $blacklist = ( $section eq 'BLACKLIST' );
|
||||
|
||||
( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
|
||||
|
||||
@ -1737,7 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
#
|
||||
# We can now dispense with the postfix character
|
||||
#
|
||||
$action =~ s/[\+\-!]$//;
|
||||
fatal_error "The +, - and ! modifiers are not allowed in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
|
||||
#
|
||||
# Handle actions
|
||||
#
|
||||
@ -1771,8 +1775,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//;
|
||||
}
|
||||
|
||||
if ( $inaction ) {
|
||||
$targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY )
|
||||
if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) {
|
||||
$targets{$inaction} |= NATRULE if $inaction;
|
||||
fatal_error "NAT rules are not allowed in the BLACKLIST section" if $blacklist;
|
||||
}
|
||||
#
|
||||
# Take care of irregular syntax and targets
|
||||
@ -1796,6 +1801,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
} ,
|
||||
REJECT => sub { $action = 'reject'; } ,
|
||||
CONTINUE => sub { $action = 'RETURN'; } ,
|
||||
WHITELIST => sub { fatal_error "'WHITELIST' may only be used in the 'BLACKLIST' section" unless $blacklist;
|
||||
$action = 'RETURN'; } ,
|
||||
COUNT => sub { $action = ''; } ,
|
||||
LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
|
||||
);
|
||||
@ -1921,7 +1928,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
#
|
||||
# Handle Optimization
|
||||
#
|
||||
if ( $optimize > 0 ) {
|
||||
if ( $optimize > 0 && $section eq 'NEW' ) {
|
||||
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
|
||||
if ( $loglevel ne '' ) {
|
||||
return 0 if $target eq "${policy}:$loglevel}";
|
||||
@ -1934,9 +1941,32 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
#
|
||||
$chainref = ensure_rules_chain $chain;
|
||||
#
|
||||
# Don't let the rules in this chain be moved elsewhere
|
||||
# Handle use of the blacklist chain
|
||||
#
|
||||
dont_move $chainref;
|
||||
if ( $blacklist ) {
|
||||
my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} );
|
||||
my $blacklistref = $filter_table->{$blacklistchain};
|
||||
|
||||
unless ( $blacklistref ) {
|
||||
my @state;
|
||||
$blacklistref = dont_move( new_chain( 'filter', $blacklistchain ) );
|
||||
$blacklistref->{blacklistsection} = 1;
|
||||
|
||||
if ( $config{BLACKLISTNEWONLY} ) {
|
||||
#
|
||||
# Rather than add a 'NEW,INVALID' state match, we want to
|
||||
# install the ACCEPT ESTABLISH,RELATED rule in the main chain
|
||||
#
|
||||
add_ijump( $chainref, j => 'ACCEPT', state_imatch( 'ESTABLISHED,RELATED' ) );
|
||||
$chainref->{accepted} = 1;
|
||||
}
|
||||
|
||||
add_ijump( $chainref, j => $blacklistref, @state );
|
||||
}
|
||||
|
||||
$chain = $blacklistchain;
|
||||
$chainref = $blacklistref;
|
||||
}
|
||||
}
|
||||
}
|
||||
#
|
||||
@ -1972,7 +2002,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
|
||||
unless ( $section eq 'NEW' || $inaction ) {
|
||||
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
|
||||
fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
|
||||
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
|
||||
$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
|
||||
}
|
||||
|
||||
#
|
||||
@ -2264,13 +2294,15 @@ sub process_section ($) {
|
||||
fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
|
||||
$sections{$sect} = 1;
|
||||
|
||||
if ( $sect eq 'ESTABLISHED' ) {
|
||||
$sections{ALL} = 1;
|
||||
if ( $sect eq 'ALL' ) {
|
||||
$sections{BLACKLIST} = 1;
|
||||
} elsif ( $sect eq 'ESTABLISHED' ) {
|
||||
$sections{'BLACKLIST','ALL'} = ( 1, 1);
|
||||
} elsif ( $sect eq 'RELATED' ) {
|
||||
@sections{'ALL','ESTABLISHED'} = ( 1, 1);
|
||||
@sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1);
|
||||
finish_section 'ESTABLISHED';
|
||||
} elsif ( $sect eq 'NEW' ) {
|
||||
@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
|
||||
@sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 );
|
||||
finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
|
||||
}
|
||||
|
||||
|
@ -9,6 +9,7 @@
|
||||
######################################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
#SECTION BLACKLIST
|
||||
#SECTION ALL
|
||||
#SECTION ESTABLISHED
|
||||
#SECTION RELATED
|
||||
|
@ -48,9 +48,10 @@
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Shorewall supports two different forms of blacklisting; static and
|
||||
dynamic. The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf
|
||||
controls the degree of blacklist filtering:</para>
|
||||
<para>Shorewall supports two different types of blackliisting; rule-based,
|
||||
static and dynamic. The BLACKLISTNEWONLY option in
|
||||
/etc/shorewall/shorewall.conf controls the degree of blacklist
|
||||
filtering:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -62,10 +63,46 @@
|
||||
<listitem>
|
||||
<para>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
|
||||
new connection requests. Blacklists may not be used to terminate
|
||||
existing connections. Only the source address is checked against the
|
||||
blacklists.</para>
|
||||
existing connections.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Rule-based Blacklisting</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.25, the preferred method of
|
||||
blacklisting and whitelisting is to use the BLACKLIST section of the rules
|
||||
file. There you have access to the DROP, ACCEPT, REJECT and WHITELIST
|
||||
actions, standard and custom macros as well as standard and custom
|
||||
actions. See <ulink
|
||||
url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
|
||||
details.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
||||
# PORTS(S)
|
||||
SECTION BLACKLIST
|
||||
WHITELIST net:70.90.191.126 all
|
||||
DROP net all udp 1023:1033,1434,5948,23773
|
||||
DROP all net udp 1023:1033
|
||||
DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
|
||||
DROP net:221.192.199.48 all
|
||||
DROP net:61.158.162.9 all
|
||||
DROP net:81.21.54.100 all tcp 25
|
||||
DROP net:84.108.168.139 all
|
||||
DROP net:200.55.14.18 all
|
||||
</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Legacy Blacklisting</title>
|
||||
|
||||
<para>Prior to 4.4.25, two forms of blacklisting were supported; static
|
||||
and dynamic. The dynamic variety is still appropriate for
|
||||
<firstterm>on-the-fly</firstterm> blacklisting; the static form is
|
||||
deprecated.</para>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">By default, only the source address is
|
||||
@ -96,7 +133,6 @@
|
||||
load, and will have a very negative effect on firewall
|
||||
performance.</para>
|
||||
</important>
|
||||
</section>
|
||||
|
||||
<section id="Static">
|
||||
<title>Static Blacklisting</title>
|
||||
@ -107,7 +143,8 @@
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
|
||||
dropped or rejected using the BLACKLIST_DISPOSITION setting in
|
||||
<ulink
|
||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
|
||||
</listitem>
|
||||
|
||||
@ -119,8 +156,8 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You list the IP addresses/subnets that you wish to blacklist in
|
||||
<ulink
|
||||
<para>You list the IP addresses/subnets that you wish to blacklist
|
||||
in <ulink
|
||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
||||
(5). You may also specify PROTOCOL and Port numbers/Service names in
|
||||
the blacklist file.</para>
|
||||
@ -131,18 +168,22 @@
|
||||
checked against the blacklist using the <quote>blacklist</quote>
|
||||
option in <ulink
|
||||
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
|
||||
(<ulink url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
|
||||
in Shorewall 4.4.12 and later).</para>
|
||||
(<ulink
|
||||
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
|
||||
Shorewall 4.4.12 and later).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Prior to Shorewall 4.4.20, only source-address static blacklisting
|
||||
was supported.</para>
|
||||
|
||||
<para>Users with a large static black list may want to set the
|
||||
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
|
||||
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections
|
||||
before loading the blacklist rules. While this may allow connections from
|
||||
blacklisted hosts to slip by during construction of the blacklist, it can
|
||||
substantially reduce the time that all new connections are disabled during
|
||||
"shorewall [re]start".</para>
|
||||
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
|
||||
connections before loading the blacklist rules. While this may allow
|
||||
connections from blacklisted hosts to slip by during construction of the
|
||||
blacklist, it can substantially reduce the time that all new connections
|
||||
are disabled during "shorewall [re]start".</para>
|
||||
|
||||
<para>Beginning with Shorewall 2.4.0, you can use <ulink
|
||||
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
|
||||
@ -157,13 +198,13 @@
|
||||
<para>In this example, there is a portmap ipset
|
||||
<emphasis>Blacklistports</emphasis> that blacklists all traffic with
|
||||
destination ports included in the ipset. There are also
|
||||
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>) and
|
||||
<emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>) ipsets
|
||||
that allow blacklisting networks and individual IP addresses. Note that
|
||||
[src,dst] is specified so that individual entries in the sets can be bound
|
||||
to other portmap ipsets to allow blacklisting (<emphasis>source
|
||||
address</emphasis>, <emphasis>destination port</emphasis>) combinations.
|
||||
For example:</para>
|
||||
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
|
||||
and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
|
||||
ipsets that allow blacklisting networks and individual IP addresses.
|
||||
Note that [src,dst] is specified so that individual entries in the sets
|
||||
can be bound to other portmap ipsets to allow blacklisting
|
||||
(<emphasis>source address</emphasis>, <emphasis>destination
|
||||
port</emphasis>) combinations. For example:</para>
|
||||
|
||||
<programlisting>ipset -N SMTP portmap --from 1 --to 31
|
||||
ipset -A SMTP 25
|
||||
@ -178,10 +219,10 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.20, you can create
|
||||
<firstterm>whitelist</firstterm> entries in the blacklist file.
|
||||
Connections/packets matching a whitelist entry are not matched against the
|
||||
entries in the blacklist file that follow. Whitelist entries are created
|
||||
using the <emphasis role="bold">whitelist</emphasis> option (OPTIONS
|
||||
column). See <ulink
|
||||
Connections/packets matching a whitelist entry are not matched against
|
||||
the entries in the blacklist file that follow. Whitelist entries are
|
||||
created using the <emphasis role="bold">whitelist</emphasis> option
|
||||
(OPTIONS column). See <ulink
|
||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
||||
(5).</para>
|
||||
</section>
|
||||
@ -194,8 +235,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
Prior to that release, the feature is always enabled.</para>
|
||||
|
||||
<para>Once enabled, dynamic blacklisting doesn't use any configuration
|
||||
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
|
||||
<emphasis role="bold">Note</emphasis> that <emphasis
|
||||
parameters but is rather controlled using /sbin/shorewall[-lite]
|
||||
commands. <emphasis role="bold">Note</emphasis> that <emphasis
|
||||
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
|
||||
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
|
||||
later</emphasis>.</para>
|
||||
@ -203,8 +244,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>drop [to|from] <emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be silently dropped by
|
||||
the firewall.</para>
|
||||
causes packets from the listed IP addresses to be silently dropped
|
||||
by the firewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -226,8 +267,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
restarted.</para>
|
||||
|
||||
<para><emphasis role="bold">Update:</emphasis> Beginning with
|
||||
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
|
||||
<command>stop/start</command> sequences and over
|
||||
Shorewall 4.4.10, the dynamic blacklist is automatically retained
|
||||
over <command>stop/start</command> sequences and over
|
||||
<command>restart</command>.</para>
|
||||
</listitem>
|
||||
|
||||
@ -237,19 +278,20 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>logdrop [to|from] <emphasis><ip address list></emphasis> -
|
||||
causes packets from the listed IP addresses to be dropped and logged
|
||||
by the firewall. Logging will occur at the level specified by the
|
||||
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
|
||||
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
<para>logdrop [to|from] <emphasis><ip address list></emphasis>
|
||||
- causes packets from the listed IP addresses to be dropped and
|
||||
logged by the firewall. Logging will occur at the level specified by
|
||||
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
|
||||
be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>logreject [to|from}<emphasis><ip address list></emphasis>
|
||||
- causes packets from the listed IP addresses to be rejected and
|
||||
logged by the firewall. Logging will occur at the level specified by
|
||||
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
|
||||
at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||
<para>logreject [to|from}<emphasis><ip address
|
||||
list></emphasis> - causes packets from the listed IP addresses to
|
||||
be rejected and logged by the firewall. Logging will occur at the
|
||||
level specified by the BLACKLIST_LOGLEVEL setting at the last
|
||||
[re]start (logging will be at the 'info' level if no
|
||||
BLACKLIST_LOGLEVEL was given).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -278,9 +320,10 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
|
||||
<programlisting> <command>shorewall show dynamic</command></programlisting>
|
||||
|
||||
<para>Displays the 'dynamic' chain which contains rules for the dynamic
|
||||
blacklist. The <firstterm>source</firstterm> column contains the set of
|
||||
blacklisted addresses.</para>
|
||||
<para>Displays the 'dynamic' chain which contains rules for the
|
||||
dynamic blacklist. The <firstterm>source</firstterm> column contains
|
||||
the set of blacklisted addresses.</para>
|
||||
</example>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
|
@ -228,8 +228,10 @@ loc eth2 -</programlisting>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Check packets arriving on this interface against the
|
||||
<ulink
|
||||
<para>Deprecated in Shorewall 4.4.25 and later in favor of
|
||||
rules in the BLACKLIST section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5). Checks
|
||||
packets arriving on this interface against the <ulink
|
||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
@ -364,8 +366,11 @@ loc eth2 -</programlisting>
|
||||
<term><emphasis role="bold">maclist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Connection requests from this interface are compared
|
||||
against the contents of <ulink
|
||||
<para>Deprecated in Shorewall 4.4.25 and later in favor of
|
||||
rules in the BLACKLIST section of <ulink
|
||||
url="shorewall-blacklist.html">shorewall-rules</ulink> (5).
|
||||
Connection requests from this interface are compared against
|
||||
the contents of <ulink
|
||||
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
|
||||
this option is specified, the interface must be an ethernet
|
||||
NIC and must be up before Shorewall is started.</para>
|
||||
@ -414,8 +419,9 @@ loc eth2 -</programlisting>
|
||||
<term>nosmurfs</term>
|
||||
|
||||
<listitem>
|
||||
<para>Filter packets for smurfs (packets with a broadcast
|
||||
address as the source).</para>
|
||||
<para> Deprecated in Shorewall 4.4.25 and later in favor of
|
||||
the DropSmurfs standard action. Filter packets for smurfs
|
||||
(packets with a broadcast address as the source).</para>
|
||||
|
||||
<para>Smurfs will be optionally logged based on the setting of
|
||||
SMURF_LOG_LEVEL in <ulink
|
||||
@ -632,11 +638,13 @@ loc eth2 -</programlisting>
|
||||
<term><emphasis role="bold">tcpflags</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Packets arriving on this interface are checked for
|
||||
certain illegal combinations of TCP flags. Packets found to
|
||||
have such a combination of flags are handled according to the
|
||||
setting of TCP_FLAGS_DISPOSITION after having been logged
|
||||
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
|
||||
<para>Deprecated in Shorewall 4.4.25 and later in favor of the
|
||||
TCPFlags standard action. Packets arriving on this interface
|
||||
are checked for certain illegal combinations of TCP flags.
|
||||
Packets found to have such a combination of flags are handled
|
||||
according to the setting of TCP_FLAGS_DISPOSITION after having
|
||||
been logged according to the setting of
|
||||
TCP_FLAGS_LOG_LEVEL.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -46,11 +46,25 @@
|
||||
<para>Sections are as follows and must appear in the order listed:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BLACKLIST</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This section was added in Shorewall 4.4.25. Rules in this
|
||||
section are applied depending on the setting of BLACKLISTNEWONLY in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If
|
||||
BLACKLISTNEWONLY=No, then they are applied regardless of the
|
||||
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
|
||||
they are applied to connections in the NEW and INVALID
|
||||
states.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This section was added in Shorewall 4.4.23. rules in this
|
||||
<para>This section was added in Shorewall 4.4.23. Rules in this
|
||||
section are applied, regardless of the connection tracking state of
|
||||
the packet.</para>
|
||||
</listitem>
|
||||
@ -101,14 +115,15 @@
|
||||
comfortable with the differences between the various connection tracking
|
||||
states, then it is suggested that you omit the <emphasis
|
||||
role="bold">ESTABLISHED</emphasis> and <emphasis
|
||||
role="bold">RELATED</emphasis> sections and place all of your rules in
|
||||
the NEW section (That's after the line that reads SECTION NEW').</para>
|
||||
role="bold">RELATED</emphasis> sections and place all of your
|
||||
non-blacklisting rules in the NEW section (That's after the line that
|
||||
reads SECTION NEW').</para>
|
||||
</note>
|
||||
|
||||
<warning>
|
||||
<para>If you specify FASTACCEPT=Yes in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
|
||||
role="bold">ESTABLISHED</emphasis> and <emphasis
|
||||
role="bold">BLACKLIST, ALL, ESTABLISHED</emphasis> and <emphasis
|
||||
role="bold">RELATED</emphasis> sections must be empty.</para>
|
||||
</warning>
|
||||
|
||||
@ -171,7 +186,8 @@
|
||||
role="bold">DNAT</emphasis>[<emphasis
|
||||
role="bold">-</emphasis>] or <emphasis
|
||||
role="bold">REDIRECT</emphasis>[<emphasis
|
||||
role="bold">-</emphasis>] rules</para>
|
||||
role="bold">-</emphasis>] rules. Not available in the
|
||||
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -181,7 +197,9 @@
|
||||
<listitem>
|
||||
<para>like ACCEPT but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -191,7 +209,9 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT,
|
||||
ACCEPT+ and ACCEPT! respectively. Require AUDIT_TARGET support
|
||||
in the kernel and iptables.</para>
|
||||
in the kernel and iptables. A_ACCEPT+ and A_ACCEPT! are not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -202,7 +222,8 @@
|
||||
<para>Excludes the connection from any subsequent <emphasis
|
||||
role="bold">DNAT</emphasis>[-] or <emphasis
|
||||
role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
|
||||
a rule to accept the traffic.</para>
|
||||
a rule to accept the traffic. Not available in the <emphasis
|
||||
role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -220,7 +241,10 @@
|
||||
<listitem>
|
||||
<para>like DROP but exempts the rule from being suppressed by
|
||||
OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section. Not available in the <emphasis
|
||||
role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -230,7 +254,10 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Audited versions of DROP and
|
||||
DROP! respectively. Require AUDIT_TARGET support in the kernel
|
||||
and iptables.</para>
|
||||
and iptables. A_DROP! is not available in the <emphasis
|
||||
role="bold">BLACKLIST</emphasis> section. A_DROP! is not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -249,7 +276,9 @@
|
||||
<listitem>
|
||||
<para>like REJECT but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -259,7 +288,8 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Audited versions of REJECT
|
||||
and REJECT! respectively. Require AUDIT_TARGET support in the
|
||||
kernel and iptables.</para>
|
||||
kernel and iptables. A_REJECT! is not available in the
|
||||
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -281,7 +311,8 @@
|
||||
<para>Like <emphasis role="bold">DNAT</emphasis> but only
|
||||
generates the <emphasis role="bold">DNAT</emphasis> iptables
|
||||
rule and not the companion <emphasis
|
||||
role="bold">ACCEPT</emphasis> rule.</para>
|
||||
role="bold">ACCEPT</emphasis> rule. Not available in the
|
||||
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -303,7 +334,8 @@
|
||||
<para>Like <emphasis role="bold">REDIRECT</emphasis> but only
|
||||
generates the <emphasis role="bold">REDIRECT</emphasis>
|
||||
iptables rule and not the companion <emphasis
|
||||
role="bold">ACCEPT</emphasis> rule.</para>
|
||||
role="bold">ACCEPT</emphasis> rule. Not available in the
|
||||
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -331,7 +363,9 @@
|
||||
<listitem>
|
||||
<para>like CONTINUE but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -360,7 +394,9 @@
|
||||
<listitem>
|
||||
<para>like QUEUE but exempts the rule from being suppressed by
|
||||
OPTIMIZE=1 in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -497,6 +533,16 @@
|
||||
rule, it is passed on to the next rule.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">WHITELIST</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.25. May only appear in the
|
||||
<emphasis role="bold">BLACKLIST</emphasis> section and exempts
|
||||
the packet from following rules in that section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<para>The <replaceable>target</replaceable> may optionally be
|
||||
|
@ -207,8 +207,11 @@ c:a,b ipv4</programlisting>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.13. May not be specified for
|
||||
<emphasis role="bold">firewall</emphasis> or <emphasis
|
||||
<para>Added in Shorewall 4.4.13. Deprecated in Shorewall
|
||||
4.4.25 and later in favor of rules in the BLACKLIST section of
|
||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
May not be specified for <emphasis
|
||||
role="bold">firewall</emphasis> or <emphasis
|
||||
role="bold">vserver</emphasis> zones.</para>
|
||||
|
||||
<para>When specified in the IN_OPTIONS column, causes all
|
||||
|
@ -330,6 +330,10 @@
|
||||
<para>A_DROP and A_REJECT are audited versions of DROP and REJECT
|
||||
respectively and were added in Shorewall 4.4.20. They require
|
||||
AUDIT_TARGET in the kernel and iptables.</para>
|
||||
|
||||
<para> The BLACKLIST_DISPOSITION setting has no effect on entries in
|
||||
the BLACKLIST section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -343,7 +347,9 @@
|
||||
logged at. Its value is a syslog level (Example:
|
||||
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
||||
assign an empty value then packets from blacklisted hosts are not
|
||||
logged.</para>
|
||||
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
|
||||
the BLACKLIST section of <ulink
|
||||
url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -354,11 +360,15 @@
|
||||
<listitem>
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections. When set to <emphasis role="bold">No</emphasis> or
|
||||
<emphasis role="bold">no</emphasis>, blacklists are consulted for
|
||||
every packet (will slow down your firewall noticably if you have
|
||||
large blacklists). If the BLACKLISTNEWONLY option is not set or is
|
||||
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para>
|
||||
connections. That includes entries in the BLACKLIST section of
|
||||
<ulink url="shorewall-rules.html">shorewall-rules</ulink> (5).
|
||||
</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||
(will slow down your firewall noticably if you have large
|
||||
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
|
||||
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
|
||||
|
||||
<note>
|
||||
<para>BLACKLISTNEWONLY=No is incompatible with
|
||||
|
@ -120,8 +120,10 @@ loc eth2 -</programlisting>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Check packets arriving on this interface against the
|
||||
<ulink
|
||||
<para>Deprecated in Shorewall 4.4.25 and later in favor of
|
||||
rules in the BLACKLIST section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
|
||||
Check packets arriving on this interface against the <ulink
|
||||
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
|
||||
file.</para>
|
||||
|
||||
@ -370,11 +372,14 @@ loc eth2 -</programlisting>
|
||||
<term><emphasis role="bold">tcpflags</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Packets arriving on this interface are checked for
|
||||
certain illegal combinations of TCP flags. Packets found to
|
||||
have such a combination of flags are handled according to the
|
||||
setting of TCP_FLAGS_DISPOSITION after having been logged
|
||||
according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
|
||||
<para>Deprecated in Shorewall 4.4.25 and later in favor of
|
||||
invoking the TCPFlags standard action in <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).
|
||||
Packets arriving on this interface are checked for certain
|
||||
illegal combinations of TCP flags. Packets found to have such
|
||||
a combination of flags are handled according to the setting of
|
||||
TCP_FLAGS_DISPOSITION after having been logged according to
|
||||
the setting of TCP_FLAGS_LOG_LEVEL.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -39,6 +39,20 @@
|
||||
<para>Sections are as follows and must appear in the order listed:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">BLACKLIST</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>This section was added in Shorewall 4.4.25. Rules in this
|
||||
section are applied depending on the setting of BLACKLISTNEWONLY in
|
||||
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). If
|
||||
BLACKLISTNEWONLY=No, then they are applied regardless of the
|
||||
connection tracking state of the packet. If BLACKLISTNEWONLY=Yes,
|
||||
they are applied to connections in the NEW and INVALID
|
||||
states.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">ALL</emphasis></term>
|
||||
|
||||
@ -157,7 +171,9 @@
|
||||
<listitem>
|
||||
<para>like ACCEPT but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -167,7 +183,8 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
|
||||
and ACCEPT! respectively. Require AUDIT_TARGET support in the
|
||||
kernel and ip6tables.</para>
|
||||
kernel and ip6tables. A_ACCEPT! is not available in the
|
||||
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -185,7 +202,9 @@
|
||||
<listitem>
|
||||
<para>like DROP but exempts the rule from being suppressed by
|
||||
OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -195,7 +214,8 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Audited versions of DROP and
|
||||
DROP! respectively. Require AUDIT_TARGET support in the kernel
|
||||
and ip6tables.</para>
|
||||
and ip6tables. A_DROP! is not available in the <emphasis
|
||||
role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -214,7 +234,9 @@
|
||||
<listitem>
|
||||
<para>like REJECT but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -224,7 +246,8 @@
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.20. Audited versions of REJECT
|
||||
and REJECT! respectively. Require AUDIT_TARGET support in the
|
||||
kernel and ip6tables.</para>
|
||||
kernel and ip6tables. A_REJECT! is not available in the
|
||||
<emphasis role="bold">BLACKLIST</emphasis> section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -252,7 +275,9 @@
|
||||
<listitem>
|
||||
<para>like CONTINUE but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -281,7 +306,9 @@
|
||||
<listitem>
|
||||
<para>like QUEUE but exempts the rule from being suppressed by
|
||||
OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -313,7 +340,9 @@
|
||||
<listitem>
|
||||
<para>like NFQUEUE but exempts the rule from being suppressed
|
||||
by OPTIMIZE=1 in <ulink
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
||||
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Not
|
||||
available in the <emphasis role="bold">BLACKLIST</emphasis>
|
||||
section.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -205,8 +205,11 @@ c:a,b ipv6</programlisting>
|
||||
<term><emphasis role="bold">blacklist</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.4.13. May not be specified for
|
||||
<emphasis role="bold">firewall</emphasis> or <emphasis
|
||||
<para>Added in Shorewall 4.4.13. Deprecated in Shorewall
|
||||
4.4.25 and later in favor of rules in the BLACKLIST section of
|
||||
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
(5). May not be specified for <emphasis
|
||||
role="bold">firewall</emphasis> or <emphasis
|
||||
role="bold">vserver</emphasis> zones.</para>
|
||||
|
||||
<para>When specified in the IN_OPTIONS column, causes all
|
||||
|
@ -261,7 +261,10 @@
|
||||
blacklisted hosts. It may have the value DROP if the packets are to
|
||||
be dropped or REJECT if the packets are to be replied with an ICMP
|
||||
port unreachable reply or a TCP RST (tcp only). If you do not assign
|
||||
a value or if you assign an empty value then DROP is assumed.</para>
|
||||
a value or if you assign an empty value then DROP is assumed. The
|
||||
BLACKLIST_DISPOSITION setting has no effect on entries in the
|
||||
BLACKLIST section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -275,7 +278,9 @@
|
||||
logged at. Its value is a syslog level (Example:
|
||||
BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you
|
||||
assign an empty value then packets from blacklisted hosts are not
|
||||
logged.</para>
|
||||
logged. The BLACKLIST_LOGLEVEL setting has no effect on entries in
|
||||
the BLACKLIST section of <ulink
|
||||
url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
@ -286,11 +291,15 @@
|
||||
<listitem>
|
||||
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
|
||||
role="bold">yes</emphasis>, blacklists are only consulted for new
|
||||
connections. When set to <emphasis role="bold">No</emphasis> or
|
||||
<emphasis role="bold">no</emphasis>, blacklists are consulted for
|
||||
every packet (will slow down your firewall noticably if you have
|
||||
large blacklists). If the BLACKLISTNEWONLY option is not set or is
|
||||
set to the empty value then BLACKLISTNEWONLY=No is assumed.</para>
|
||||
connections. This includes entries in the BLACKLIST section of
|
||||
<ulink url="shorewall6-rules.html">shorewall6-rules</ulink>
|
||||
(5).</para>
|
||||
|
||||
<para>When set to <emphasis role="bold">No</emphasis> or <emphasis
|
||||
role="bold">no</emphasis>, blacklists are consulted for every packet
|
||||
(will slow down your firewall noticably if you have large
|
||||
blacklists). If the BLACKLISTNEWONLY option is not set or is set to
|
||||
the empty value then BLACKLISTNEWONLY=No is assumed.</para>
|
||||
|
||||
<note>
|
||||
<para>BLACKLISTNEWONLY=No is incompatible with
|
||||
@ -1691,8 +1700,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
||||
<para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
|
||||
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
||||
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
|
||||
shorewall6-nat(5), shorewall6-netmap(5), shoewall6-netmap(5),shorewall6-params(5),
|
||||
shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
|
||||
shorewall6-nat(5), shorewall6-netmap(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-proxyarp(5),
|
||||
shorewall6-route_rules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
|
Loading…
Reference in New Issue
Block a user