From e6933f4c8d5dbb1917c69f972d83019acb1b2713 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 18 Jan 2017 10:55:15 -0800 Subject: [PATCH] Add BLACKLIST policy Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 4 +- Shorewall/Perl/Shorewall/Rules.pm | 44 +++++++++++++------ Shorewall/Samples/Universal/shorewall.conf | 1 + .../Samples/one-interface/shorewall.conf | 1 + .../Samples/three-interfaces/shorewall.conf | 1 + .../Samples/two-interfaces/shorewall.conf | 1 + Shorewall/configfiles/shorewall.conf | 1 + Shorewall/manpages/shorewall-policy.xml | 14 ++++++ Shorewall/manpages/shorewall.conf.xml | 13 ++++++ Shorewall6/Samples6/Universal/shorewall6.conf | 1 + .../Samples6/one-interface/shorewall6.conf | 1 + .../Samples6/three-interfaces/shorewall6.conf | 1 + .../Samples6/two-interfaces/shorewall6.conf | 1 + Shorewall6/configfiles/shorewall6.conf | 1 + Shorewall6/manpages/shorewall6-policy.xml | 15 ++++++- Shorewall6/manpages/shorewall6.conf.xml | 13 ++++++ 16 files changed, 98 insertions(+), 15 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4489279a4..c2ce9f50c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -816,6 +816,7 @@ sub initialize( $;$$) { ACCEPT_DEFAULT => undef, QUEUE_DEFAULT => undef, NFQUEUE_DEFAULT => undef, + BLACKLIST_DEFAULT => undef, # # RSH/RCP Commands # @@ -6625,11 +6626,12 @@ sub get_configuration( $$$$ ) { default 'RESTOREFILE' , 'restore'; default 'DROP_DEFAULT' , 'Drop'; default 'REJECT_DEFAULT' , 'Reject'; + default 'BLACKLIST_DEFAULT' , 'Drop'; default 'QUEUE_DEFAULT' , 'none'; default 'NFQUEUE_DEFAULT' , 'none'; default 'ACCEPT_DEFAULT' , 'none'; - for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) { + for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) { $config{$default} = 'none' if "\L$config{$default}" eq 'none'; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b452ac0fa..e88a3d7a0 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -309,11 +309,12 @@ sub initialize( $ ) { # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored # in the %config hash when shorewall[6].conf was processed. # - %default_actions = ( DROP => 'none' , - REJECT => 'none' , - ACCEPT => 'none' , - QUEUE => 'none' , - NFQUEUE => 'none' , + %default_actions = ( DROP => 'none' , + REJECT => 'none' , + BLACKLIST => 'none' , + ACCEPT => 'none' , + QUEUE => 'none' , + NFQUEUE => 'none' , ); # # These are set to 1 as sections are encountered. @@ -679,6 +680,8 @@ sub process_a_policy1($$$$$$$) { if $clientwild || $serverwild; fatal_error "NONE policy not allowed to/from firewall zone" if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL ); + } elsif ( $policy eq 'BLACKLIST' ) { + fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/; } unless ( $clientwild || $serverwild ) { @@ -817,24 +820,26 @@ sub process_policies() our %validpolicies = ( ACCEPT => undef, REJECT => undef, - DROP => undef, + DROP => undef, CONTINUE => undef, + BLACKLIST => undef, QUEUE => undef, NFQUEUE => undef, NONE => undef ); - our %map = ( DROP_DEFAULT => 'DROP' , - REJECT_DEFAULT => 'REJECT' , - ACCEPT_DEFAULT => 'ACCEPT' , - QUEUE_DEFAULT => 'QUEUE' , - NFQUEUE_DEFAULT => 'NFQUEUE' ); + our %map = ( DROP_DEFAULT => 'DROP' , + REJECT_DEFAULT => 'REJECT' , + BLACKLIST_DEFAULT => 'BLACKLIST' , + ACCEPT_DEFAULT => 'ACCEPT' , + QUEUE_DEFAULT => 'QUEUE' , + NFQUEUE_DEFAULT => 'NFQUEUE' ); my $zone; my $firewall = firewall_zone; our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' ); - for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) { + for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) { my $action = $config{$option}; unless ( $action eq 'none' ) { @@ -951,7 +956,20 @@ sub add_policy_rules( $$$$$ ) { log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; fatal_error "Null target in policy_rules()" unless $target; - add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit}; + if ( $target eq 'BLACKLIST' ) { + my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} ); + + if ( my $timeout = $globals{DBL_TIMEOUT} ) { + add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" ); + } else { + add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" ); + } + + $target = 'DROP'; + } else { + add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit}; + } + add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE'; } } diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 07a81e41f..49504a8bb 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -108,6 +108,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" +BLACKLIST_DEFAULT="Drop" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index b114dc74c..1379b6aca 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -119,6 +119,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" +BLACKLIST_DEFAULT="Drop" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index b9596d074..e7a0b769a 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -116,6 +116,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" +BLACKLIST_DEFAULT="Drop" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index cbb8a6d39..183c29ee6 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -119,6 +119,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" +BLACKLIST_DEFAULT="Drop" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index 367540d92..39a162234 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -108,6 +108,7 @@ TC= ############################################################################### ACCEPT_DEFAULT=none +BLACKLIST_DEFAULT=Drop DROP_DEFAULT=Drop NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml index 7bc0be4dd..217f11427 100644 --- a/Shorewall/manpages/shorewall-policy.xml +++ b/Shorewall/manpages/shorewall-policy.xml @@ -115,6 +115,7 @@ role="bold">ACCEPT|DROP|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2])]| + + BLACKLIST + + + Added in Shorewall 5.1.1 and requires that the + DYNAMIC_BLACKLIST setting in shorewall.conf(5) + specifies ipset-based dynamic blacklisting. The SOURCE IP + address is added to the blacklist ipset and the connection + request is ignored. + + + QUEUE diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index e5028aaff..f77edcf2a 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -117,6 +117,16 @@ + + BLACKLIST_DEFAULT={action[(parameters)][:level]|none} + + + + + + DROP_DEFAULT={action[(parameters)][:level]|REJECT_DEFAULT="Reject" + BLACKLIST_DEFAULT="Drop" (added in Shorewall + 5.1.1) + ACCEPT_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 2e13fa02b..8871c894c 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -105,6 +105,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" +BLACKLIST_DEFAULT="Drop" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 4a34846b3..1bb50277c 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -106,6 +106,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" +BLACKLIST_DEFAULT="Drop" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index ff578879b..69c1424dc 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -105,6 +105,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" +BLACKLIST_DEFAULT="Drop" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index 0b125aac5..603554d05 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -105,6 +105,7 @@ TC= ############################################################################### ACCEPT_DEFAULT="none" +BLACKLIST_DEFAULT="Drop" DROP_DEFAULT="Drop" NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index 02819a2cc..2573460a7 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -105,6 +105,7 @@ TC= ############################################################################### ACCEPT_DEFAULT=none +BLACKLIST_DEFAULT=Drop DROP_DEFAULT=Drop NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml index 115613aff..5f00560c4 100644 --- a/Shorewall6/manpages/shorewall6-policy.xml +++ b/Shorewall6/manpages/shorewall6-policy.xml @@ -114,7 +114,7 @@ POLICY - {ACCEPT|DROP|REJECT|REJECT|BLACKLIST|CONTINUE|QUEUE|NFQUEUE[(queuenumber1[:queuenumber2])]| + + BLACKLIST + + + Added in Shorewall 5.1.1 and requires that the + DYNAMIC_BLACKLIST setting in shorewall6.conf(5) + specifies ipset-based dynamic blacklisting. The SOURCE IP + address is added to the blacklist ipset and the connection + request is ignored. + + + QUEUE diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index 161e9252f..1f55dc6fc 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -103,6 +103,16 @@ + + BLACKLIST_DEFAULT={action[(parameters)][:level]|none} + + + + + + DROP_DEFAULT={action[(parameters)][:level]|REJECT_DEFAULT="Reject" + BLACKLIST_DEFAULT="Drop" (added in Shorewall + 5.1.1) + ACCEPT_DEFAULT="none" QUEUE_DEFAULT="none"