Copyright © 2002-2006, 2010, 2011 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2016/07/02
Table of Contents
This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Shorewall supports two different types of blacklisting; rule-based, static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf controls the degree of blacklist filtering.
The BLACKLIST option lists the Netfilter connection-tracking states that blacklist rules are to be applied to (states are NEW, ESTABLISHED, RELATED, INVALID, NOTRACK). The BLACKLIST option supersedes the BLACKLISTNEWONLY option:
BLACKLISTNEWONLY=No -- All incoming packets are checked against the blacklist. New blacklist entries can be used to terminate existing connections.
BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new connection requests. Blacklists may not be used to terminate existing connections.
For automatic blacklisting based on exceeding defined threshholds, see Events.
Beginning with Shorewall 4.4.25, the preferred method of blacklisting and whitelisting is to use the blrules file (shorewall-blrules (5)). There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions, standard and custom macros as well as standard and custom actions. See shorewall-blrules (5) for details.
Example:
#ACTION SOURCE DEST PROTO DPORT WHITELIST net:70.90.191.126 all DROP net all udp 1023:1033,1434,5948,23773 DROP all net udp 1023:1033 DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 DROP net:221.192.199.48 all DROP net:61.158.162.9 all DROP net:81.21.54.100 all tcp 25 DROP net:84.108.168.139 all DROP net:200.55.14.18 all
Beginning with Shorewall 4.4.26, the update
command supports a -b
option that causes your legacy
blacklisting configuration to use the blrules file.
Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
setting DYNAMIC_BLACKLIST=Yes in shorewall.conf
.
Prior to that release, the feature is always enabled.
Once enabled, dynamic blacklisting doesn't use any configuration parameters but is rather controlled using /sbin/shorewall[-lite] commands. Note that to and from may only be specified when running Shorewall 4.4.12 or later.
drop [to|from] <ip address list> - causes packets from the listed IP addresses to be silently dropped by the firewall.
reject [to|from]<ip address list> - causes packets from the listed IP addresses to be rejected by the firewall.
allow [to|from] <ip address list> - re-enables receipt of packets from hosts previously blacklisted by a drop or reject command.
save - save the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall is restarted.
Update: Beginning with Shorewall 4.4.10, the dynamic blacklist is automatically retained over stop/start sequences and over restart and reload.
show dynamic - displays the dynamic blacklisting configuration.
logdrop [to|from] <ip address list> - causes packets from the listed IP addresses to be dropped and logged by the firewall. Logging will occur at the level specified by the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at the 'info' level if no BLACKLIST_LOGLEVEL was given).
logreject [to|from}<ip address list> - causes packets from the listed IP addresses to be rejected and logged by the firewall. Logging will occur at the level specified by the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at the 'info' level if no BLACKLIST_LOGLEVEL was given).