forked from extern/shorewall_code
Implement whitelisting.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
8ec33cd6dd
commit
e940f5018e
@ -247,9 +247,19 @@ sub setup_blacklist() {
|
||||
|
||||
$options = 'src' if $options eq '-';
|
||||
|
||||
my ( $to, $from ) = ( 0, 0 );
|
||||
my ( $to, $from, $whitelist ) = ( 0, 0, 0 );
|
||||
|
||||
for ( split /,/, $options ) {
|
||||
my @options = split_list $options, 'option';
|
||||
|
||||
for ( @options ) {
|
||||
$whitelist++ if $_ eq 'whitelist';
|
||||
}
|
||||
|
||||
warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
|
||||
|
||||
my $tgt = $whitelist ? 'RETURN' : $target;
|
||||
|
||||
for ( @options ) {
|
||||
if ( $_ =~ /^(?:from|src)$/ ) {
|
||||
if ( $from++ ) {
|
||||
warning_message "Duplicate 'src' ignored";
|
||||
@ -262,9 +272,9 @@ sub setup_blacklist() {
|
||||
$networks,
|
||||
'',
|
||||
'' ,
|
||||
$target ,
|
||||
$tgt ,
|
||||
'' ,
|
||||
$target ,
|
||||
$tgt ,
|
||||
'' );
|
||||
} else {
|
||||
warning_message '"src" entry ignored because there are no "blacklist in" zones';
|
||||
@ -282,15 +292,15 @@ sub setup_blacklist() {
|
||||
'',
|
||||
$networks,
|
||||
'' ,
|
||||
$target ,
|
||||
$tgt ,
|
||||
'' ,
|
||||
$target ,
|
||||
$tgt ,
|
||||
'' );
|
||||
} else {
|
||||
warning_message '"dst" entry ignored because there are no "blacklist out" zones';
|
||||
}
|
||||
}
|
||||
} else {
|
||||
} elsif ( $_ ne 'whitelist' ) {
|
||||
fatal_error "Invalid blacklist option($_)";
|
||||
}
|
||||
}
|
||||
|
@ -8,6 +8,8 @@ Changes in Shorewall 4.4.20 Beta 2
|
||||
|
||||
4) Implemented NFLOG accounting action.
|
||||
|
||||
5) Implement 'whitelist' option.
|
||||
|
||||
Changes in Shorewall 4.4.20 Beta 1
|
||||
|
||||
1) Apply Togan's patch for installation flexibility.
|
||||
|
@ -51,7 +51,12 @@ All bug fixes from 4.4.19.1 - 4.4.19.4.
|
||||
|
||||
3) An NFLOG 'ACTION' has been added to the accounting file to allow
|
||||
sending matching packets (or the leading part of them) to backend
|
||||
accounting daemons via a netlink socket.
|
||||
accounting daemons via a netlink socket.
|
||||
|
||||
4) A 'whitelist' option has been added to the blacklist file. When
|
||||
'whitelist' is specified, packets/connections matching the entry
|
||||
are not matched against the entries which follow. No logging of
|
||||
whitelisted packets/connections is performed.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||
|
@ -124,7 +124,7 @@
|
||||
|
||||
<row>
|
||||
<entry><ulink
|
||||
url="blacklisting_support.htm">Blacklisting</ulink></entry>
|
||||
url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>
|
||||
|
||||
<entry><ulink
|
||||
url="two-interface.htm#SNAT">Masquerading</ulink></entry>
|
||||
@ -265,8 +265,8 @@
|
||||
<entry><ulink url="two-interface.htm#DNAT">Port
|
||||
Forwarding</ulink></entry>
|
||||
|
||||
<entry><ulink url="whitelisting_under_shorewall.htm">White List
|
||||
Creation</ulink></entry>
|
||||
<entry><ulink url="blacklisting_support.htm#whitelisting">White
|
||||
List Creation</ulink></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -5,7 +5,7 @@
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall Blacklisting Support</title>
|
||||
<title>Shorewall Blacklisting/Whitelisting Support</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
@ -22,6 +22,8 @@
|
||||
|
||||
<year>2010</year>
|
||||
|
||||
<year>2011</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
@ -66,10 +68,10 @@
|
||||
</orderedlist>
|
||||
|
||||
<important>
|
||||
<para><emphasis role="bold">Only the source address is checked against
|
||||
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
|
||||
connecting to you — they do not stop you or your users from connecting
|
||||
to blacklisted hosts .</para>
|
||||
<para><emphasis role="bold">By default, only the source address is
|
||||
checked against the blacklists</emphasis>. Blacklists only stop
|
||||
blacklisted hosts from connecting to you — they do not stop you or your
|
||||
users from connecting to blacklisted hosts .</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -106,36 +108,31 @@
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
|
||||
url="manpages/shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename>.</ulink></para>
|
||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You specify whether you want packets from blacklisted hosts
|
||||
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
|
||||
in <ulink
|
||||
url="manpages/shorewall.conf.html"><filename>/etc/shorewall/shorewall.conf</filename></ulink>.</para>
|
||||
url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You list the IP addresses/subnets that you wish to blacklist in
|
||||
<ulink
|
||||
url="manpages/shorewall-blacklist.html"><filename>/etc/shorewall/blacklist</filename></ulink>.
|
||||
You may also specify PROTOCOL and Port numbers/Service names in the
|
||||
blacklist file.</para>
|
||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
||||
(5). You may also specify PROTOCOL and Port numbers/Service names in
|
||||
the blacklist file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You specify the interfaces whose incoming packets you want
|
||||
checked against the blacklist using the <quote>blacklist</quote>
|
||||
option in <ulink
|
||||
url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The black list is refreshed from
|
||||
<filename>/etc/shorewall/blacklist</filename> by the <quote><ulink
|
||||
url="starting_and_stopping_shorewall.htm"><command>shorewall
|
||||
refresh</command></ulink></quote> command.</para>
|
||||
url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
|
||||
(<ulink url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
|
||||
in Shorewall 4.4.12 and later).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -176,6 +173,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
|
||||
<para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
|
||||
</section>
|
||||
|
||||
<section id="whitelisting">
|
||||
<title>Static Whitelisting</title>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.20, you can create
|
||||
<firstterm>whitelist</firstterm> entries in the blacklist file.
|
||||
Connections/packets matching a whitelist entry are not matched against the
|
||||
entries in the blacklist file that follow. Whitelist entries are created
|
||||
using the <emphasis role="bold">whitelist</emphasis> option (OPTIONS
|
||||
column). See <ulink
|
||||
url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
|
||||
(5).</para>
|
||||
</section>
|
||||
|
||||
<section id="Dynamic">
|
||||
<title>Dynamic Blacklisting</title>
|
||||
|
||||
|
@ -78,7 +78,7 @@
|
||||
|
||||
<varlistentry>
|
||||
<term>OPTIONS (Optional - Added in 4.4.12) -
|
||||
{-|{dst|src}[,...]}</term>
|
||||
{-|{dst|src|whitelist}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, indicates whether traffic
|
||||
@ -122,6 +122,12 @@
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</note>
|
||||
|
||||
<para>In Shorewall 4.4.20, the <emphasis
|
||||
role="bold">whitelist</emphasis> option was added. When <emphasis
|
||||
role="bold">whitelist</emphasis> is specified, packets/connections
|
||||
that match the entry are not matched against the remaining entries
|
||||
in the file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -78,7 +78,7 @@
|
||||
|
||||
<varlistentry>
|
||||
<term>OPTIONS (Optional - Added in 4.4.12) -
|
||||
{-|{dst|src}[,...]}</term>
|
||||
{-|{dst|src|whitelist}[,...]}</term>
|
||||
|
||||
<listitem>
|
||||
<para>If specified, indicates whether traffic
|
||||
@ -122,6 +122,12 @@
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</note>
|
||||
|
||||
<para>In Shorewall 4.4.20, the <emphasis
|
||||
role="bold">whitelist</emphasis> option was added. When <emphasis
|
||||
role="bold">whitelist</emphasis> is specified, packets/connections
|
||||
that match the entry are not matched against the remaining entries
|
||||
in the file.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
Loading…
Reference in New Issue
Block a user