<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall-blacklist</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id289787"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>blacklist — Shorewall Blacklist file</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">/etc/shorewall/blacklist</code> </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id289823"></a><h2>Description</h2><p>The blacklist file is used to perform static blacklisting. You can blacklist by source address (IP or MAC), or by application.</p><p>The columns in the file are as follows.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>ADDRESS/SUBNET</strong></span> - {<span class="bold"><strong>-</strong></span>|<span class="bold"><strong>~</strong></span><span class="emphasis"><em>mac-address</em></span>|<span class="emphasis"><em>ip-address</em></span>|<span class="emphasis"><em>address-range</em></span>|<span class="bold"><strong>+</strong></span><span class="emphasis"><em>ipset</em></span>}</span></dt><dd><p>Host address, network address, MAC address, IP address range (if your kernel and iptables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match).</p><p>MAC addresses must be prefixed with "~" and use "-" as a separator.</p><p>Example: ~00-A0-C9-15-39-78</p><p>A dash ("-") in this column means that any source address will match. This is useful if you want to blacklist a particular application using entries in the PROTOCOL and PORTS columns.</p></dd><dt><span class="term"><span class="bold"><strong>PROTOCOL</strong></span> (Optional) - {<span class="bold"><strong>-</strong></span>|<span class="emphasis"><em>protocol-number</em></span>|<span class="emphasis"><em>protocol-name</em></span>}</span></dt><dd><p>If specified, must be a protocol number or a protocol name from protocols(5).</p></dd><dt><span class="term"><span class="bold"><strong>PORTS</strong></span> (Optional) - {<span class="bold"><strong>-</strong></span>|<span class="emphasis"><em>port-name-or-number</em></span>[,<span class="emphasis"><em>port-name-or-number</em></span>]...}</span></dt><dd><p>May only be specified if the protocol is TCP (6) or UDP (17). A comma-separated list of destination port numbers or service names from services(5).</p></dd></dl></div><p>When a packet arrives on an interface that has the <span class="bold"><strong>blacklist</strong></span> option specified in <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5), its source IP address and MAC address is checked against this file and disposed of according to the <span class="bold"><strong>BLACKLIST_DISPOSITION</strong></span> and <span class="bold"><strong>BLACKLIST_LOGLEVEL</strong></span> variables in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). If <span class="bold"><strong>PROTOCOL</strong></span> or <span class="bold"><strong>PROTOCOL</strong></span> and <span class="bold"><strong>PORTS</strong></span> are supplied, only packets matching the protocol (and one of the ports if <span class="bold"><strong>PORTS</strong></span> supplied) are blocked.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id257377"></a><h2>Example</h2><div class="variablelist"><dl><dt><span class="term">Example 1:</span></dt><dd><p>To block DNS queries from address 192.0.2.126:</p><pre class="programlisting"> #ADDRESS/SUBNET PROTOCOL PORT 192.0.2.126 udp 53</pre></dd><dt><span class="term">Example 2:</span></dt><dd><p>To block some of the nuisance applications:</p><pre class="programlisting"> #ADDRESS/SUBNET PROTOCOL PORT - udp 1024:1033,1434 - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898</pre></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258244"></a><h2>FILES</h2><p>/etc/shorewall/blacklist</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258255"></a><h2>See ALSO</h2><p><a class="ulink" href="http://shorewall.net/blacklisting_support.htm" target="_self">http://shorewall.net/blacklisting_support.htm</a></p><p>shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</p></div></div></body></html>