forked from extern/shorewall_code
Update the blacklisting article for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
6599425ce9
commit
a47cfb4f63
@ -85,14 +85,13 @@
|
|||||||
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
|
url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
|
||||||
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
|
There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
|
||||||
standard and custom macros as well as standard and custom actions. See
|
standard and custom macros as well as standard and custom actions. See
|
||||||
<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
|
<ulink url="manpages/shorewall-rules.html">shorewall-blrules</ulink> (5)
|
||||||
details.</para>
|
for details.</para>
|
||||||
|
|
||||||
<para>Example:</para>
|
<para>Example:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
||||||
# PORTS(S)
|
|
||||||
SECTION BLACKLIST
|
|
||||||
WHITELIST net:70.90.191.126 all
|
WHITELIST net:70.90.191.126 all
|
||||||
DROP net all udp 1023:1033,1434,5948,23773
|
DROP net all udp 1023:1033,1434,5948,23773
|
||||||
DROP all net udp 1023:1033
|
DROP all net udp 1023:1033
|
||||||
@ -107,147 +106,9 @@ DROP net:200.55.14.18 all
|
|||||||
<para>Beginning with Shorewall 4.4.26, the <command>update</command>
|
<para>Beginning with Shorewall 4.4.26, the <command>update</command>
|
||||||
command supports a <option>-b</option> option that causes your legacy
|
command supports a <option>-b</option> option that causes your legacy
|
||||||
blacklisting configuration to use the blrules file.</para>
|
blacklisting configuration to use the blrules file.</para>
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>If you prefer to keep your blacklisting rules in your rules file
|
|
||||||
(<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
|
|
||||||
(5)), you can place them in the BLACKLIST section of that file rather
|
|
||||||
than in blrules.</para>
|
|
||||||
</note>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>Legacy Blacklisting</title>
|
|
||||||
|
|
||||||
<para>Prior to 4.4.25, two forms of blacklisting were supported; static
|
|
||||||
and dynamic. The dynamic variety is still appropriate for
|
|
||||||
<firstterm>on-the-fly</firstterm> blacklisting; the static form is
|
|
||||||
deprecated.</para>
|
|
||||||
|
|
||||||
<important>
|
|
||||||
<para><emphasis role="bold">By default, only the source address is
|
|
||||||
checked against the blacklists</emphasis>. Blacklists only stop
|
|
||||||
blacklisted hosts from connecting to you — they do not stop you or your
|
|
||||||
users from connecting to blacklisted hosts .</para>
|
|
||||||
|
|
||||||
<variablelist>
|
|
||||||
<varlistentry>
|
|
||||||
<term>UPDATE</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>Beginning with Shorewall 4.4.12, you can also blacklist by
|
|
||||||
destination address. See <ulink
|
|
||||||
url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
|
|
||||||
(5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
|
|
||||||
for details.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
</variablelist>
|
|
||||||
</important>
|
|
||||||
|
|
||||||
<important>
|
|
||||||
<para><emphasis role="bold">Dynamic Shorewall blacklisting is not
|
|
||||||
appropriate for blacklisting 1,000s of different addresses. Static
|
|
||||||
Blacklisting can handle large blacklists but only if you use
|
|
||||||
ipsets</emphasis>. Without ipsets, the blacklists will take forever to
|
|
||||||
load, and will have a very negative effect on firewall
|
|
||||||
performance.</para>
|
|
||||||
</important>
|
|
||||||
|
|
||||||
<section id="Static">
|
|
||||||
<title>Static Blacklisting</title>
|
|
||||||
|
|
||||||
<para>Shorewall static blacklisting support has the following
|
|
||||||
configuration parameters:</para>
|
|
||||||
|
|
||||||
<itemizedlist>
|
|
||||||
<listitem>
|
|
||||||
<para>You specify whether you want packets from blacklisted hosts
|
|
||||||
dropped or rejected using the BLACKLIST_DISPOSITION setting in
|
|
||||||
<ulink
|
|
||||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>You specify whether you want packets from blacklisted hosts
|
|
||||||
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
|
|
||||||
in <ulink
|
|
||||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>You list the IP addresses/subnets that you wish to blacklist
|
|
||||||
in <ulink
|
|
||||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
|
||||||
(5). You may also specify PROTOCOL and Port numbers/Service names in
|
|
||||||
the blacklist file.</para>
|
|
||||||
</listitem>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>You specify the interfaces whose incoming packets you want
|
|
||||||
checked against the blacklist using the <quote>blacklist</quote>
|
|
||||||
option in <ulink
|
|
||||||
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
|
|
||||||
(<ulink
|
|
||||||
url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
|
|
||||||
Shorewall 4.4.12 and later).</para>
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
|
||||||
|
|
||||||
<para>Prior to Shorewall 4.4.20, only source-address static blacklisting
|
|
||||||
was supported.</para>
|
|
||||||
|
|
||||||
<para>Users with a large static black list may want to set the
|
|
||||||
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
|
|
||||||
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
|
|
||||||
connections before loading the blacklist rules. While this may allow
|
|
||||||
connections from blacklisted hosts to slip by during construction of the
|
|
||||||
blacklist, it can substantially reduce the time that all new connections
|
|
||||||
are disabled during "shorewall [re]start".</para>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 2.4.0, you can use <ulink
|
|
||||||
url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
|
|
||||||
an example:</para>
|
|
||||||
|
|
||||||
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
|
||||||
+Blacklistports[dst]
|
|
||||||
+Blacklistnets[src,dst]
|
|
||||||
+Blacklist[src,dst]
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para>In this example, there is a portmap ipset
|
|
||||||
<emphasis>Blacklistports</emphasis> that blacklists all traffic with
|
|
||||||
destination ports included in the ipset. There are also
|
|
||||||
<emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
|
|
||||||
and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
|
|
||||||
ipsets that allow blacklisting networks and individual IP addresses.
|
|
||||||
Note that [src,dst] is specified so that individual entries in the sets
|
|
||||||
can be bound to other portmap ipsets to allow blacklisting
|
|
||||||
(<emphasis>source address</emphasis>, <emphasis>destination
|
|
||||||
port</emphasis>) combinations. For example:</para>
|
|
||||||
|
|
||||||
<programlisting>ipset -N SMTP portmap --from 1 --to 31
|
|
||||||
ipset -A SMTP 25
|
|
||||||
ipset -A Blacklist 206.124.146.177
|
|
||||||
ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
|
||||||
|
|
||||||
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section id="whitelisting">
|
|
||||||
<title>Static Whitelisting</title>
|
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.20, you can create
|
|
||||||
<firstterm>whitelist</firstterm> entries in the blacklist file.
|
|
||||||
Connections/packets matching a whitelist entry are not matched against
|
|
||||||
the entries in the blacklist file that follow. Whitelist entries are
|
|
||||||
created using the <emphasis role="bold">whitelist</emphasis> option
|
|
||||||
(OPTIONS column). See <ulink
|
|
||||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
|
||||||
(5).</para>
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section id="Dynamic">
|
|
||||||
<title>Dynamic Blacklisting</title>
|
<title>Dynamic Blacklisting</title>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
|
<para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
|
||||||
@ -255,8 +116,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
|||||||
Prior to that release, the feature is always enabled.</para>
|
Prior to that release, the feature is always enabled.</para>
|
||||||
|
|
||||||
<para>Once enabled, dynamic blacklisting doesn't use any configuration
|
<para>Once enabled, dynamic blacklisting doesn't use any configuration
|
||||||
parameters but is rather controlled using /sbin/shorewall[-lite]
|
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
|
||||||
commands. <emphasis role="bold">Note</emphasis> that <emphasis
|
<emphasis role="bold">Note</emphasis> that <emphasis
|
||||||
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
|
role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
|
||||||
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
|
only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
|
||||||
later</emphasis>.</para>
|
later</emphasis>.</para>
|
||||||
@ -264,8 +125,8 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
|||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>drop [to|from] <emphasis><ip address list></emphasis> -
|
<para>drop [to|from] <emphasis><ip address list></emphasis> -
|
||||||
causes packets from the listed IP addresses to be silently dropped
|
causes packets from the listed IP addresses to be silently dropped by
|
||||||
by the firewall.</para>
|
the firewall.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -287,9 +148,10 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
|||||||
restarted.</para>
|
restarted.</para>
|
||||||
|
|
||||||
<para><emphasis role="bold">Update:</emphasis> Beginning with
|
<para><emphasis role="bold">Update:</emphasis> Beginning with
|
||||||
Shorewall 4.4.10, the dynamic blacklist is automatically retained
|
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
|
||||||
over <command>stop/start</command> sequences and over
|
<command>stop/start</command> sequences and over
|
||||||
<command>restart</command>.</para>
|
<command>restart</command> and <emphasis
|
||||||
|
role="bold">reload</emphasis>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -298,52 +160,20 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>logdrop [to|from] <emphasis><ip address list></emphasis>
|
<para>logdrop [to|from] <emphasis><ip address list></emphasis> -
|
||||||
- causes packets from the listed IP addresses to be dropped and
|
causes packets from the listed IP addresses to be dropped and logged
|
||||||
logged by the firewall. Logging will occur at the level specified by
|
by the firewall. Logging will occur at the level specified by the
|
||||||
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
|
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
|
||||||
be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>logreject [to|from}<emphasis><ip address
|
<para>logreject [to|from}<emphasis><ip address list></emphasis>
|
||||||
list></emphasis> - causes packets from the listed IP addresses to
|
- causes packets from the listed IP addresses to be rejected and
|
||||||
be rejected and logged by the firewall. Logging will occur at the
|
logged by the firewall. Logging will occur at the level specified by
|
||||||
level specified by the BLACKLIST_LOGLEVEL setting at the last
|
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
|
||||||
[re]start (logging will be at the 'info' level if no
|
at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
|
||||||
BLACKLIST_LOGLEVEL was given).</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>Dynamic blacklisting is not dependent on the
|
|
||||||
<quote>blacklist</quote> option in
|
|
||||||
<filename>/etc/shorewall/interfaces</filename>.</para>
|
|
||||||
|
|
||||||
<example id="Ignore">
|
|
||||||
<title>Ignore packets from a pair of systems</title>
|
|
||||||
|
|
||||||
<programlisting> <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
|
|
||||||
|
|
||||||
<para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
|
|
||||||
</example>
|
|
||||||
|
|
||||||
<example id="Allow">
|
|
||||||
<title>Re-enable packets from a system</title>
|
|
||||||
|
|
||||||
<programlisting> <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
|
|
||||||
|
|
||||||
<para>Re-enables traffic from 192.0.2.125.</para>
|
|
||||||
</example>
|
|
||||||
|
|
||||||
<example>
|
|
||||||
<title>Displaying the Dynamic Blacklist</title>
|
|
||||||
|
|
||||||
<programlisting> <command>shorewall show dynamic</command></programlisting>
|
|
||||||
|
|
||||||
<para>Displays the 'dynamic' chain which contains rules for the
|
|
||||||
dynamic blacklist. The <firstterm>source</firstterm> column contains
|
|
||||||
the set of blacklisted addresses.</para>
|
|
||||||
</example>
|
|
||||||
</section>
|
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
||||||
|
Loading…
Reference in New Issue
Block a user