shorewall_code/manpages/shorewall-blacklist.xml
2010-09-13 13:23:32 -07:00

186 lines
6.9 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-blacklist</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>blacklist</refname>
<refpurpose>Shorewall Blacklist file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>/etc/shorewall/blacklist</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The blacklist file is used to perform static blacklisting. You can
blacklist by source address (IP or MAC), or by application.</para>
<para>The columns in the file are as follows.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis
role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
<listitem>
<para>Host address, network address, MAC address, IP address range
(if your kernel and iptables contain iprange match support) or ipset
name prefaced by "+" (if your kernel supports ipset match).</para>
<para>MAC addresses must be prefixed with "~" and use "-" as a
separator.</para>
<para>Example: ~00-A0-C9-15-39-78</para>
<para>A dash ("-") in this column means that any source address will
match. This is useful if you want to blacklist a particular
application using entries in the PROTOCOL and PORTS columns.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
{<emphasis
role="bold">-</emphasis>|[!]<emphasis>protocol-number</emphasis>|[!]<emphasis>protocol-name</emphasis>}</term>
<listitem>
<para>If specified, must be a protocol number or a protocol name
from protocols(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
role="bold">-</emphasis>|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
<listitem>
<para>May only be specified if the protocol is TCP (6) or UDP (17).
A comma-separated list of destination port numbers or service names
from services(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>OPTIONS (Optional - Added in 4.4.12) -
{-|{to|from}[,...]}</term>
<listitem>
<para>If specified, indicates whether traffic <emphasis
role="bold">to</emphasis> or <emphasis role="bold">from</emphasis>
the ADDRESS/SUBNET should be blacklisted. The default is <emphasis
role="bold">from</emphasis>. If the ADDRESS/SUBNET column is empty,
then this column has no effect on the generated rule.</para>
<note>
<para>In Shorewall 4.4.12, blacklisting is still restricted to
traffic <emphasis>arriving</emphasis> on an interface that has the
'blacklist' option set. So to block traffic from your local
network to an internet host, you must specify
<option>blacklist</option> on your internal interface in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>
(5).</para>
</note>
<note>
<para>Beginning with Shorewall 4.4.13, entries specifying
<emphasis role="bold">to</emphasis> are applied based on the
<emphasis role="bold">blacklist</emphasis> setting in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5):</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given). Traffic
entering this interface are passed against the entries in
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the firewall
and leaving by this interface is passed against the entries in
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
<listitem>
<para>Output blacklisting. Traffic entering on this interface
is passed against the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
</listitem>
</orderedlist>
</note>
</listitem>
</varlistentry>
</variablelist>
<para></para>
</refsect1>
<refsect1>
<title>Example</title>
<variablelist>
<varlistentry>
<term>Example 1:</term>
<listitem>
<para>To block DNS queries from address 192.0.2.126:</para>
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
192.0.2.126 udp 53</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>Example 2:</term>
<listitem>
<para>To block some of the nuisance applications:</para>
<programlisting> #ADDRESS/SUBNET PROTOCOL PORT
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/blacklist</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>