<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall6-blrules</refentrytitle> <manvolnum>5</manvolnum> </refmeta> <refnamediv> <refname>blrules</refname> <refpurpose>shorewall6 Blacklist file</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>/etc/shorewall6/blrules</command> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>This file is used to perform zone-specific blacklisting and whitelisting.</para> <para>Rules in this file are applied depending on the setting of BLACKLISTNEWONLY in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5). If BLACKLISTNEWONLY=No, then they are applied regardless of the connection tracking state of the packet. If BLACKLISTNEWONLY=Yes, they are applied to connections in the NEW and INVALID states.</para> <para>The format of rules in this file is the same as the format of rules in <ulink url="shorewall6-rules.html">shorewall6-rules (5)</ulink>. The differece in the two files lies in the ACTION (first) column.</para> <variablelist> <varlistentry> <term><emphasis role="bold">ACTION- {<emphasis role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis role="bold">WHITELIST</emphasis>|<emphasis role="bold">LOG</emphasis>|<emphasis role="bold">QUEUE</emphasis>|<emphasis role="bold">NFQUEUE</emphasis>[<emphasis role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis role="bold">)</emphasis>]<emphasis role="bold">|[?]COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis role="bold">(</emphasis><emphasis>target</emphasis><emphasis role="bold">)</emphasis>]}<emphasis role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis role="bold">none</emphasis>}[<emphasis role="bold"><emphasis role="bold">!</emphasis></emphasis>][<emphasis role="bold">:</emphasis><emphasis>tag</emphasis>]]</emphasis></term> <listitem> <para>Specifies the action to be taken if the packet matches the rule. Must be one of the following.</para> <variablelist> <varlistentry> <term><emphasis role="bold">BLACKLIST</emphasis></term> <listitem> <para>Added in Shorewall 4.5.3. This is actually a macro that expands as follows:</para> <itemizedlist> <listitem> <para>If BLACKLIST_LOGLEVEL is specified in <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5), then the macro expands to <emphasis role="bold">blacklog</emphasis>.</para> </listitem> <listitem> <para>Otherwise it expands to the action specified for BLACKLIST_DISPOSITION in <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para> </listitem> </itemizedlist> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">blacklog</emphasis></term> <listitem> <para>May only be used if BLACKLIST_LOGLEVEL is specified in <ulink url="shorewall6.conf.html">shorewall6.conf </ulink>(5). Logs, audits (if specified) and applies the BLACKLIST_DISPOSITION specified in <ulink url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term> <listitem> <para>Exempt the packet from the remaining rules in this file.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">DROP</emphasis></term> <listitem> <para>Ignore the packet.</para> </listitem> </varlistentry> <varlistentry> <term>A_DROP and A_DROP!</term> <listitem> <para>Audited versions of DROP. Requires AUDIT_TARGET support in the kernel and ip6tables.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">REJECT</emphasis></term> <listitem> <para>disallow the packet and return an icmp-unreachable or an RST packet.</para> </listitem> </varlistentry> <varlistentry> <term>A_REJECT</term> <listitem> <para>Audited versions of REJECT. Require AUDIT_TARGET support in the kernel and ip6tables.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">LOG</emphasis></term> <listitem> <para>Simply log the packet and continue with the next rule.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">QUEUE</emphasis></term> <listitem> <para>Queue the packet to a user-space application such as ftwall (http://p2pwall.sf.net). The application may reinsert the packet for further processing.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term> <listitem> <para>queues matching packets to a backend logging daemon via a netlink socket then continues to the next rule. See <ulink url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">NFQUEUE</emphasis></term> <listitem> <para>Queues the packet to a user-space application using the nfnetlink_queue mechanism. If a <replaceable>queuenumber</replaceable> is not specified, queue zero (0) is assumed.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">[?]COMMENT</emphasis></term> <listitem> <para>the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of "shorewall6 show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself.</para> <note> <para>Beginning with Shorewall 4.5.11, ?COMMENT is a synonym for COMMENT and is preferred.</para> </note> </listitem> </varlistentry> <varlistentry> <term><emphasis>action</emphasis></term> <listitem> <para>The name of an <emphasis>action</emphasis> declared in <ulink url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in /usr/share/shorewall6/actions.std.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis>macro</emphasis></term> <listitem> <para>The name of a macro defined in a file named macro.<emphasis>macro</emphasis>. If the macro accepts an action parameter (Look at the macro source to see if it has PARAM in the TARGET column) then the <emphasis>macro</emphasis> name is followed by the parenthesized <emphasis>target</emphasis> (<emphasis role="bold">ACCEPT</emphasis>, <emphasis role="bold">DROP</emphasis>, <emphasis role="bold">REJECT</emphasis>, ...) to be substituted for the parameter.</para> <para>Example: FTP(ACCEPT).</para> </listitem> </varlistentry> </variablelist> <para>The <emphasis role="bold">ACTION</emphasis> may optionally be followed by ":" and a syslog log level (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at the specified level.</para> <para>If the <emphasis role="bold">ACTION</emphasis> names an <emphasis>action</emphasis> declared in <ulink url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in /usr/share/shorewall6/actions.std then:</para> <itemizedlist> <listitem> <para>If the log level is followed by "!' then all rules in the action are logged at the log level.</para> </listitem> <listitem> <para>If the log level is not followed by "!" then only those rules in the action that do not specify logging are logged at the specified level.</para> </listitem> <listitem> <para>The special log level <emphasis role="bold">none!</emphasis> suppresses logging by the action.</para> </listitem> </itemizedlist> <para>You may also specify <emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a log level.This will log to the NFLOG target for routing to a separate log through use of ulogd (<ulink url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para> <para>Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para> </listitem> </varlistentry> </variablelist> <para>For the remaining columns, see <ulink url="shorewall6-rules.html">shorewall6-rules (5)</ulink>.</para> </refsect1> <refsect1> <title>Example</title> <variablelist> <varlistentry> <term>Example 1:</term> <listitem> <para>Drop Teredo packets from the net.</para> <programlisting>DROP net:[2001::/32] all</programlisting> </listitem> </varlistentry> <varlistentry> <term>Example 2:</term> <listitem> <para>Don't subject packets from 2001:DB8::/64 to the remaining rules in the file.</para> <programlisting>WHITELIST net:[2001:DB8::/64] all</programlisting> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall6/blrules</para> </refsect1> <refsect1> <title>See ALSO</title> <para><ulink url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para> <para><ulink url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para> <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para> </refsect1> </refentry>