Shorewall Blacklisting Support
Shorewall supports two different forms of blacklisting; static and
dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
option in /etc/shorewall/shorewall.conf controls the degree of
blacklist filtering:
- BLACKLISTNEWONLY=No -- All incoming packets are checked
against the blacklist. New blacklist entries can be used to terminate
existing connections. Versions of Shorewall prior to 1.4.8 behave in
this manner.
- BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new
connection requests. Blacklists may not be used to terminate existing
connections.
Only the source address is checked against the blacklists.
Static Blacklisting
Shorewall static blacklisting support has the following
configuration
parameters:
- You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION
setting in /etc/shorewall/shorewall.conf
- You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting in
/etc/shorewall/shorewall.conf
- You list the IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist.
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and
Port numbers/Service names in the blacklist file.
- You specify the interfaces whose incoming packets you want
checked against the blacklist using the "blacklist" option in
/etc/shorewall/interfaces.
- The black list is refreshed from /etc/shorewall/blacklist by the "shorewall refresh" command.
Dynamic Blacklisting
Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn't use any configuration parameters but is rather
controlled using /sbin/shorewall commands:
- drop <ip address list> - causes packets from the
listed IP addresses to be silently dropped by the firewall.
- reject <ip address list> - causes packets from the
listed IP addresses to be rejected by the firewall.
- allow <ip address list> - re-enables receipt of
packets from hosts previously blacklisted by a drop or reject
command.
- save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.
- show dynamic - displays the dynamic blacklisting configuration.
Dynamic blacklisting is not dependent on the "blacklist" option
in /etc/shorewall/interfaces.
Example 1:
shorewall drop 192.0.2.124 192.0.2.125
Drops packets from hosts 192.0.2.124 and
192.0.2.125
Example 2:
shorewall allow 192.0.2.125
Reenables access from 192.0.2.125.
Last updated 11/14/2003 - Tom
Eastep
Copyright
© 2002, 2003 Thomas M. Eastep.