diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 4489279a4..c2ce9f50c 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -816,6 +816,7 @@ sub initialize( $;$$) {
ACCEPT_DEFAULT => undef,
QUEUE_DEFAULT => undef,
NFQUEUE_DEFAULT => undef,
+ BLACKLIST_DEFAULT => undef,
#
# RSH/RCP Commands
#
@@ -6625,11 +6626,12 @@ sub get_configuration( $$$$ ) {
default 'RESTOREFILE' , 'restore';
default 'DROP_DEFAULT' , 'Drop';
default 'REJECT_DEFAULT' , 'Reject';
+ default 'BLACKLIST_DEFAULT' , 'Drop';
default 'QUEUE_DEFAULT' , 'none';
default 'NFQUEUE_DEFAULT' , 'none';
default 'ACCEPT_DEFAULT' , 'none';
- for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+ for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
}
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index b452ac0fa..e88a3d7a0 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -309,11 +309,12 @@ sub initialize( $ ) {
# This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
# in the %config hash when shorewall[6].conf was processed.
#
- %default_actions = ( DROP => 'none' ,
- REJECT => 'none' ,
- ACCEPT => 'none' ,
- QUEUE => 'none' ,
- NFQUEUE => 'none' ,
+ %default_actions = ( DROP => 'none' ,
+ REJECT => 'none' ,
+ BLACKLIST => 'none' ,
+ ACCEPT => 'none' ,
+ QUEUE => 'none' ,
+ NFQUEUE => 'none' ,
);
#
# These are set to 1 as sections are encountered.
@@ -679,6 +680,8 @@ sub process_a_policy1($$$$$$$) {
if $clientwild || $serverwild;
fatal_error "NONE policy not allowed to/from firewall zone"
if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
+ } elsif ( $policy eq 'BLACKLIST' ) {
+ fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
}
unless ( $clientwild || $serverwild ) {
@@ -817,24 +820,26 @@ sub process_policies()
our %validpolicies = (
ACCEPT => undef,
REJECT => undef,
- DROP => undef,
+ DROP => undef,
CONTINUE => undef,
+ BLACKLIST => undef,
QUEUE => undef,
NFQUEUE => undef,
NONE => undef
);
- our %map = ( DROP_DEFAULT => 'DROP' ,
- REJECT_DEFAULT => 'REJECT' ,
- ACCEPT_DEFAULT => 'ACCEPT' ,
- QUEUE_DEFAULT => 'QUEUE' ,
- NFQUEUE_DEFAULT => 'NFQUEUE' );
+ our %map = ( DROP_DEFAULT => 'DROP' ,
+ REJECT_DEFAULT => 'REJECT' ,
+ BLACKLIST_DEFAULT => 'BLACKLIST' ,
+ ACCEPT_DEFAULT => 'ACCEPT' ,
+ QUEUE_DEFAULT => 'QUEUE' ,
+ NFQUEUE_DEFAULT => 'NFQUEUE' );
my $zone;
my $firewall = firewall_zone;
our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
- for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+ for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
my $action = $config{$option};
unless ( $action eq 'none' ) {
@@ -951,7 +956,20 @@ sub add_policy_rules( $$$$$ ) {
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target;
- add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+ if ( $target eq 'BLACKLIST' ) {
+ my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
+
+ if ( my $timeout = $globals{DBL_TIMEOUT} ) {
+ add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
+ } else {
+ add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
+ }
+
+ $target = 'DROP';
+ } else {
+ add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+ }
+
add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
}
}
diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf
index 07a81e41f..49504a8bb 100644
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -108,6 +108,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf
index b114dc74c..1379b6aca 100644
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -119,6 +119,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf
index b9596d074..e7a0b769a 100644
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -116,6 +116,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf
index cbb8a6d39..183c29ee6 100644
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -119,6 +119,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 367540d92..39a162234 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -108,6 +108,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT=Drop
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml
index 7bc0be4dd..217f11427 100644
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -115,6 +115,7 @@
role="bold">ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2])]|
+
+ BLACKLIST
+
+
+ Added in Shorewall 5.1.1 and requires that the
+ DYNAMIC_BLACKLIST setting in shorewall.conf(5)
+ specifies ipset-based dynamic blacklisting. The SOURCE IP
+ address is added to the blacklist ipset and the connection
+ request is ignored.
+
+
+
QUEUE
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index e5028aaff..f77edcf2a 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -117,6 +117,16 @@
+
+ BLACKLIST_DEFAULT={action[(parameters)][:level]|none}
+
+
+
+
+
+
DROP_DEFAULT={action[(parameters)][:level]|REJECT_DEFAULT="Reject"
+ BLACKLIST_DEFAULT="Drop" (added in Shorewall
+ 5.1.1)
+
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf
index 2e13fa02b..8871c894c 100644
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -105,6 +105,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf
index 4a34846b3..1bb50277c 100644
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -106,6 +106,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
index ff578879b..69c1424dc 100644
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -105,6 +105,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
index 0b125aac5..603554d05 100644
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -105,6 +105,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
DROP_DEFAULT="Drop"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf
index 02819a2cc..2573460a7 100644
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -105,6 +105,7 @@ TC=
###############################################################################
ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT=Drop
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml
index 115613aff..5f00560c4 100644
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -114,7 +114,7 @@
POLICY - {ACCEPT|DROP|REJECT|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2])]|
+
+ BLACKLIST
+
+
+ Added in Shorewall 5.1.1 and requires that the
+ DYNAMIC_BLACKLIST setting in shorewall6.conf(5)
+ specifies ipset-based dynamic blacklisting. The SOURCE IP
+ address is added to the blacklist ipset and the connection
+ request is ignored.
+
+
+
QUEUE
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 161e9252f..1f55dc6fc 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -103,6 +103,16 @@
+
+ BLACKLIST_DEFAULT={action[(parameters)][:level]|none}
+
+
+
+
+
+
DROP_DEFAULT={action[(parameters)][:level]|REJECT_DEFAULT="Reject"
+ BLACKLIST_DEFAULT="Drop" (added in Shorewall
+ 5.1.1)
+
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"