Shorewall supports two different forms of blacklisting; static and dynamic.
Static Blacklisting
Shorewall static blacklisting support has the following configuration
parameters:
- You specify whether you want packets from blacklisted hosts dropped
or rejected using the BLACKLIST_DISPOSITION
setting in /etc/shorewall/shorewall.conf
- You specify whether you want packets from blacklisted hosts logged
and at what syslog level using the BLACKLIST_LOGLEVEL setting in
/etc/shorewall/shorewall.conf
- You list the IP addresses/subnets that you wish to blacklist in
/etc/shorewall/blacklist.
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and
Port numbers/Service names in the blacklist file.
- You specify the interfaces whose incoming packets you want checked
against the blacklist using the "blacklist" option in /etc/shorewall/interfaces.
- The black list is refreshed from /etc/shorewall/blacklist by the
"shorewall refresh" command.
Dynamic Blacklisting
Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:
- drop <ip address list> - causes packets from the
listed IP addresses to be silently dropped by the firewall.
- reject <ip address list> - causes packets from the
listed IP addresses to be rejected by the firewall.
- allow <ip address list> - re-enables receipt of packets
from hosts previously blacklisted by a drop or reject
command.
- save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is restarted.
- show dynamic - displays the dynamic blacklisting configuration.
Dynamic blacklisting is not dependent on the "blacklist" option
in /etc/shorewall/interfaces.
Example 1:
shorewall drop 192.0.2.124 192.0.2.125
Drops packets from hosts 192.0.2.124 and 192.0.2.125
Example 2:
shorewall allow 192.0.2.125
Reenables access from 192.0.2.125.
Last updated 7/27/2003 - Tom Eastep
Copyright
© 2002, 2003 Thomas M. Eastep.