'\" t .\" Title: shorewall6-blacklist .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.76.1 .\" Date: 10/19/2014 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" .TH "SHOREWALL6\-BLACKLIS" "5" "10/19/2014" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" blacklist \- shorewall6 Blacklist file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall6/blacklist\fR\ 'u \fB/etc/shorewall6/blacklist\fR .SH "DESCRIPTION" .PP The blacklist file is used to perform static blacklisting by source address (IP or MAC), or by application\&. The use of this file is deprecated in favor of \m[blue]\fBshorewall6\-blrules\fR\m[]\&\s-2\u[1]\d\s+2(5), and beginning with Shorewall 4\&.5\&.7, the blacklist file is no longer installed\&. Existing blacklist files can be converted to a corresponding blrules file using the \fBshorewall6 update \-b\fR command\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBADDRESS/SUBNET\fR \- {\fB\-\fR|\fB~\fR\fImac\-address\fR|\fIip\-address\fR|\fIaddress\-range\fR|\fB+\fR\fIipset\fR} .RS 4 Host address, network address, MAC address, IP address range (if your kernel and ip6tables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match)\&. Exclusion (\m[blue]\fBshorewall6\-exclusion\fR\m[]\&\s-2\u[2]\d\s+2(5)) is supported\&. .sp MAC addresses must be prefixed with "~" and use "\-" as a separator\&. .sp Example: ~00\-A0\-C9\-15\-39\-78 .sp A dash ("\-") in this column means that any source address will match\&. This is useful if you want to blacklist a particular application using entries in the PROTOCOL and PORTS columns\&. .RE .PP \fBPROTOCOL\fR (proto) \- {\fB\-\fR|\fIprotocol\-number\fR|\fIprotocol\-name\fR} .RS 4 Optional \- if specified, must be a protocol number or a protocol name from protocols(5)\&. .RE .PP \fBPORTS\fR (port) \- {\fB\-\fR|\fIport\-name\-or\-number\fR[,\fIport\-name\-or\-number\fR]\&.\&.\&.} .RS 4 May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE (136)\&. A comma\-separated list of destination port numbers or service names from services(5)\&. .RE .PP OPTIONS \- {\-|{dst|src|whitelist|audit}[,\&.\&.\&.]} .RS 4 Optional \- added in 4\&.4\&.12\&. If specified, indicates whether traffic \fIfrom\fR ADDRESS/SUBNET (\fBsrc\fR) or traffic \fIto\fR ADDRESS/SUBNET (\fBdst\fR) should be blacklisted\&. The default is \fBsrc\fR\&. If the ADDRESS/SUBNET column is empty, then this column has no effect on the generated rule\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br In Shorewall 4\&.4\&.12, the keywords from and to were used in place of src and dst respectively\&. Blacklisting was still restricted to traffic \fIarriving\fR on an interface that has the \*(Aqblacklist\*(Aq option set\&. So to block traffic from your local network to an internet host, you had to specify \fBblacklist\fR on your internal interface in \m[blue]\fBshorewall6\-interfaces\fR\m[]\&\s-2\u[3]\d\s+2 (5)\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br Beginning with Shorewall 4\&.4\&.13, entries are applied based on the \fBblacklist\fR setting in \m[blue]\fBshorewall6\-zones\fR\m[]\&\s-2\u[4]\d\s+2(5): .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} \*(Aqblacklist\*(Aq in the OPTIONS or IN_OPTIONS column\&. Traffic from this zone is passed against the entries in this file that have the \fBsrc\fR option (specified or defaulted)\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} \*(Aqblacklist\*(Aq in the OPTIONS or OUT_OPTIONS column\&. Traffic to this zone is passed against the entries in this file that have the \fBdst\fR option\&. .RE .sp .5v .RE In Shorewall 4\&.4\&.20, the \fBwhitelist\fR option was added\&. When \fBwhitelist\fR is specified, packets/connections that match the entry are not matched against the remaining entries in the file\&. .sp The \fBaudit\fR option was also added in 4\&.4\&.20 and causes packets matching the entry to be audited\&. The \fBaudit\fR option may not be specified in whitelist entries and require AUDIT_TARGET support in the kernel and ip6tables\&. .RE .PP When a packet arrives on an interface that has the \fBblacklist\fR option specified in \m[blue]\fBshorewall6\-interfaces\fR\m[]\&\s-2\u[3]\d\s+2(5), its source IP address and MAC address is checked against this file and disposed of according to the \fBBLACKLIST_DISPOSITION\fR and \fBBLACKLIST_LOGLEVEL\fR variables in \m[blue]\fBshorewall6\&.conf\fR\m[]\&\s-2\u[5]\d\s+2(5)\&. If \fBPROTOCOL\fR or \fBPROTOCOL\fR and \fBPORTS\fR are supplied, only packets matching the protocol (and one of the ports if \fBPORTS\fR supplied) are blocked\&. .SH "EXAMPLE" .PP Example 1: .RS 4 To block DNS queries from address fe80::2a0:ccff:fedb:31c4: .sp .if n \{\ .RS 4 .\} .nf #ADDRESS/SUBNET PROTOCOL PORT fe80::2a0:ccff:fedb:31c4/ udp 53 .fi .if n \{\ .RE .\} .RE .PP Example 2: .RS 4 To block some of the nuisance applications: .sp .if n \{\ .RS 4 .\} .nf #ADDRESS/SUBNET PROTOCOL PORT \- udp 1024:1033,1434 \- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall6/blacklist .SH "SEE ALSO" .PP \m[blue]\fBhttp://www\&.shorewall\&.net/blacklisting_support\&.htm\fR\m[]\&\s-2\u[6]\d\s+2 .PP \m[blue]\fBhttp://www\&.shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[]\&\s-2\u[7]\d\s+2 .PP shorewall6(8), shorewall6\-accounting(5), shorewall6\-actions(5), shorewall6\-hosts(5), shorewall6\-interfaces(5), shorewall6\-maclist(5), shorewall6\-netmap(5),shorewall6\-params(5), shorewall6\-policy(5), shorewall6\-providers(5), shorewall6\-rtrules(5), shorewall6\-routestopped(5), shorewall6\-rules(5), shorewall6\&.conf(5), shorewall6\-secmarks(5), shorewall6\-tcclasses(5), shorewall6\-tcdevices(5), shorewall6\-mangle(5), shorewall6\-tos(5), shorewall6\-tunnels(5), shorewall6\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall6-blrules .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-blrules.html .RE .IP " 2." 4 shorewall6-exclusion .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-exclusion.html .RE .IP " 3." 4 shorewall6-interfaces .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-interfaces.html .RE .IP " 4." 4 shorewall6-zones .RS 4 \%http://www.shorewall.net/manpages6/shorewall6-zones.html .RE .IP " 5." 4 shorewall6.conf .RS 4 \%http://www.shorewall.net/manpages6/shorewall6.conf.html .RE .IP " 6." 4 http://www.shorewall.net/blacklisting_support.htm .RS 4 \%http://www.shorewall.net/blacklisting_support.htm .RE .IP " 7." 4 http://www.shorewall.net/configuration_file_basics.htm#Pairs .RS 4 \%http://www.shorewall.net/configuration_file_basics.htm#Pairs .RE