<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Shorewall Blacklisting Support</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257527"></a>Shorewall Blacklisting Support</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2002-2006 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id292633"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Intro">Introduction</a></span></dt><dt><span class="section"><a href="#Static">Static Blacklisting</a></span></dt><dt><span class="section"><a href="#Dynamic">Dynamic Blacklisting</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Intro"></a>Introduction</h2></div></div></div><p>Shorewall supports two different forms of blacklisting; static and
dynamic. The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf
controls the degree of blacklist filtering:</p><div class="orderedlist"><ol type="1"><li><p>BLACKLISTNEWONLY=No -- All incoming packets are checked
against the blacklist. New blacklist entries can be used to terminate
existing connections.</p></li><li><p>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
new connection requests. Blacklists may not be used to terminate
existing connections. Only the source address is checked against the
blacklists.</p></li></ol></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>Only the source address is checked against
the blacklists</strong></span>. Blacklists only stop blacklisted hosts from
connecting to you — they do not stop you or your users from connecting
to blacklisted hosts .</p></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p><span class="bold"><strong>Dynamic Shorewall blacklisting is not
appropriate for blacklisting 1,000s of different addresses. Static
Blacklisting can handle large blacklists but only if you use
ipsets</strong></span>. Without ipsets, the blacklists will take forever to
load, and will have a very negative effect on firewall
performance.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Static"></a>Static Blacklisting</h2></div></div></div><p>Shorewall static blacklisting support has the following
configuration parameters:</p><div class="itemizedlist"><ul type="disc"><li><p>You specify whether you want packets from blacklisted hosts
dropped or rejected using the BLACKLIST_DISPOSITION setting in <a class="ulink" href="manpages/shorewall.conf.html" target="_self"><code class="filename">/etc/shorewall/shorewall.conf</code>.</a></p></li><li><p>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
in <a class="ulink" href="manpages/shorewall.conf.html" target="_self"><code class="filename">/etc/shorewall/shorewall.conf</code></a>.</p></li><li><p>You list the IP addresses/subnets that you wish to blacklist in
<a class="ulink" href="manpages/shorewall-blacklist.html" target="_self"><code class="filename">/etc/shorewall/blacklist</code></a>.
You may also specify PROTOCOL and Port numbers/Service names in the
blacklist file.</p></li><li><p>You specify the interfaces whose incoming packets you want
checked against the blacklist using the “<span class="quote">blacklist</span>”
option in <a class="ulink" href="manpages/shorewall-interfaces.html" target="_self"><code class="filename">/etc/shorewall/interfaces</code></a>.</p></li><li><p>The black list is refreshed from
<code class="filename">/etc/shorewall/blacklist</code> by the “<span class="quote"><a class="ulink" href="starting_and_stopping_shorewall.htm" target="_self"><span class="command"><strong>shorewall
refresh</strong></span></a></span>” command.</p></li></ul></div><p>Users with a large static black list may want to set the
DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections
before loading the blacklist rules. While this may allow connections from
blacklisted hosts to slip by during construction of the blacklist, it can
substantially reduce the time that all new connections are disabled during
"shorewall [re]start".</p><p>Beginning with Shorewall 2.4.0, you can use <a class="ulink" href="ipsets.html" target="_self">ipsets</a> to define your static blacklist. Here's
an example:</p><pre class="programlisting">#ADDRESS/SUBNET PROTOCOL PORT
+Blacklistports[dst]
+Blacklistnets[src,dst]
+Blacklist[src,dst]
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre><p>In this example, there is a portmap ipset
<span class="emphasis"><em>Blacklistports</em></span> that blacklists all traffic with
destination ports included in the ipset. There are also
<span class="emphasis"><em>Blacklistnets</em></span> (type <span class="emphasis"><em>nethash</em></span>) and
<span class="emphasis"><em>Blacklist</em></span> (type <span class="emphasis"><em>iphash</em></span>) ipsets
that allow blacklisting networks and individual IP addresses. Note that
[src,dst] is specified so that individual entries in the sets can be bound
to other portmap ipsets to allow blacklisting (<span class="emphasis"><em>source
address</em></span>, <span class="emphasis"><em>destination port</em></span>) combinations.
For example:</p><pre class="programlisting">ipset -N SMTP portmap --from 1 --to 31
ipset -A SMTP 25
ipset -A Blacklist 206.124.146.177
ipset -B Blacklist 206.124.146.177 -b SMTP</pre><p>This will blacklist SMTP traffic from host 206.124.146.177.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Dynamic"></a>Dynamic Blacklisting</h2></div></div></div><p>Dynamic blacklisting doesn't use any configuration parameters but is
rather controlled using /sbin/shorewall[-lite] commands:</p><div class="itemizedlist"><ul type="disc"><li><p>drop <span class="emphasis"><em><ip address list></em></span> - causes
packets from the listed IP addresses to be silently dropped by the
firewall.</p></li><li><p>reject <span class="emphasis"><em><ip address list></em></span> - causes
packets from the listed IP addresses to be rejected by the
firewall.</p></li><li><p>allow <span class="emphasis"><em><ip address list></em></span> - re-enables
receipt of packets from hosts previously blacklisted by a
<span class="emphasis"><em>drop</em></span> or <span class="emphasis"><em>reject</em></span>
command.</p></li><li><p>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</p></li><li><p>show dynamic - displays the dynamic blacklisting
configuration.</p></li></ul></div><p>If you are running Shorewall 3.2.0 Beta2 or later, there are two
additional commands:</p><div class="itemizedlist"><ul type="disc"><li><p>logdrop <span class="emphasis"><em><ip address list></em></span> - causes
packets from the listed IP addresses to be dropped and logged by the
firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).</p></li><li><p>logreject <span class="emphasis"><em><ip address list></em></span> - causes
packets from the listed IP addresses to be rejected and logged by the
firewall. Logging will occur at the level specified by the
BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
the 'info' level if no BLACKLIST_LOGLEVEL was given).</p></li></ul></div><p>Dynamic blacklisting is not dependent on the
“<span class="quote">blacklist</span>” option in
<code class="filename">/etc/shorewall/interfaces</code>.</p><div class="example"><a id="Ignore"></a><p class="title"><b>Example 1. Ignore packets from a pair of systems</b></p><div class="example-contents"><pre class="programlisting"> <span class="command"><strong>shorewall[-lite] drop 192.0.2.124 192.0.2.125</strong></span></pre><p>Drops packets from hosts 192.0.2.124 and 192.0.2.125</p></div></div><br class="example-break" /><div class="example"><a id="Allow"></a><p class="title"><b>Example 2. Re-enable packets from a system</b></p><div class="example-contents"><pre class="programlisting"> <span class="command"><strong>shorewall[-lite] allow 192.0.2.125</strong></span></pre><p>Re-enables traffic from 192.0.2.125.</p></div></div><br class="example-break" /></div></div></body></html>
