Shorewall Blacklisting/Whitelisting Support
Tom
Eastep
2002-2006
2010
2011
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
This article applies to Shorewall 4.4 and
later. If you are running a version of Shorewall earlier than Shorewall
4.3.5 then please see the documentation for that
release.
Introduction
Shorewall supports two different forms of blacklisting; static and
dynamic. The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf
controls the degree of blacklist filtering:
BLACKLISTNEWONLY=No -- All incoming packets are checked against
the blacklist. New blacklist entries can be used to terminate existing
connections.
BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
new connection requests. Blacklists may not be used to terminate
existing connections. Only the source address is checked against the
blacklists.
By default, only the source address is
checked against the blacklists. Blacklists only stop
blacklisted hosts from connecting to you — they do not stop you or your
users from connecting to blacklisted hosts .
UPDATE
Beginning with Shorewall 4.4.12, you can also blacklist by
destination address. See shorewall-blacklist
(5) and shorewall (8)
for details.
Dynamic Shorewall blacklisting is not
appropriate for blacklisting 1,000s of different addresses. Static
Blacklisting can handle large blacklists but only if you use
ipsets. Without ipsets, the blacklists will take forever to
load, and will have a very negative effect on firewall
performance.
Static Blacklisting
Shorewall static blacklisting support has the following
configuration parameters:
You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in shorewall.conf(5).
You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in shorewall.conf(5).
You list the IP addresses/subnets that you wish to blacklist in
shorewall-blacklist
(5). You may also specify PROTOCOL and Port numbers/Service names in
the blacklist file.
You specify the interfaces whose incoming packets you want
checked against the blacklist using the blacklist
option in shorewall-interfaces(5)
(shorewall-zones(5)
in Shorewall 4.4.12 and later).
Users with a large static black list may want to set the
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections
before loading the blacklist rules. While this may allow connections from
blacklisted hosts to slip by during construction of the blacklist, it can
substantially reduce the time that all new connections are disabled during
"shorewall [re]start".
Beginning with Shorewall 2.4.0, you can use ipsets to define your static blacklist. Here's
an example:
#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst]
+Blacklistnets[src,dst]
+Blacklist[src,dst]
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
In this example, there is a portmap ipset
Blacklistports that blacklists all traffic with
destination ports included in the ipset. There are also
Blacklistnets (type nethash) and
Blacklist (type iphash) ipsets
that allow blacklisting networks and individual IP addresses. Note that
[src,dst] is specified so that individual entries in the sets can be bound
to other portmap ipsets to allow blacklisting (source
address, destination port) combinations.
For example:
ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP
This will blacklist SMTP traffic from host 206.124.146.177.
Static Whitelisting
Beginning with Shorewall 4.4.20, you can create
whitelist entries in the blacklist file.
Connections/packets matching a whitelist entry are not matched against the
entries in the blacklist file that follow. Whitelist entries are created
using the whitelist option (OPTIONS
column). See shorewall-blacklist
(5).
Dynamic Blacklisting
Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in shorewall.conf.
Prior to that release, the feature is always enabled.
Once enabled, dynamic blacklisting doesn't use any configuration
parameters but is rather controlled using /sbin/shorewall[-lite] commands.
Note that to and from may
only be specified when running Shorewall 4.4.12 or
later.
drop [to|from] <ip address list> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.
reject [to|from]<ip address list> -
causes packets from the listed IP addresses to be rejected by the
firewall.
allow [to|from] <ip address list> -
re-enables receipt of packets from hosts previously blacklisted by a
drop or reject
command.
save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.
Update: Beginning with
Shorewall 4.4.10, the dynamic blacklist is automatically retained over
stop/start sequences and over
restart.
show dynamic - displays the dynamic blacklisting
configuration.
logdrop [to|from] <ip address list> -
causes packets from the listed IP addresses to be dropped and logged
by the firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).
logreject [to|from}<ip address list>
- causes packets from the listed IP addresses to be rejected and
logged by the firewall. Logging will occur at the level specified by
the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
at the 'info' level if no BLACKLIST_LOGLEVEL was given).
Dynamic blacklisting is not dependent on the
blacklist
option in
/etc/shorewall/interfaces.
Ignore packets from a pair of systems
shorewall[-lite] drop 192.0.2.124 192.0.2.125
Drops packets from hosts 192.0.2.124 and 192.0.2.125
Re-enable packets from a system
shorewall[-lite] allow 192.0.2.125
Re-enables traffic from 192.0.2.125.
Displaying the Dynamic Blacklist
shorewall show dynamic
Displays the 'dynamic' chain which contains rules for the dynamic
blacklist. The source column contains the set of
blacklisted addresses.