.\" Automatically generated by Pandoc 3.1.3
.nh
.\"
.\" Define V font for inline verbatim, using C font in formats
.\" that render this, and otherwise B font.
.ie "\f[CB]x\f[]"x" \{\
. ftr V B
. ftr VI BI
. ftr VB B
. ftr VBI BI
.\}
.el \{\
. ftr V CR
. ftr VI CI
. ftr VB CB
. ftr VBI CBI
.\}
.TH "firehol-blacklist" "5" "Built 30 Mar 2024" "FireHOL Reference" "3.1.7"
.hy
.SH NAME
.PP
firehol-blacklist - set up a unidirectional or bidirectional blacklist
.SH SYNOPSIS
.PP
{ blacklist | blacklist4 | blacklist6 } [ \f[I]type\f[R] ] [ inface
\f[I]device\f[R] ] [ log \f[I]\[lq]text\[rq]\f[R] ] [ nolog ] [ connlog
\f[I]\[lq]text\[rq]\f[R] ] [ loglimit \f[I]\[lq]text\[rq]\f[R] ] [
accounting \f[I]accounting_name\f[R] ] \f[I]ip\f[R]\&...
[ except \f[I]rule-params\f[R] [or \f[I]rule-params\f[R] [or \&...
]]]
.SH DESCRIPTION
.PP
The \f[V]blacklist\f[R] helper command creates a blacklist for the
\f[I]ip\f[R] list given (which can be in quotes or not).
.PP
If the type \f[V]full\f[R] or \f[V]all\f[R] is supplied (or no type at
all), a bidirectional \f[I]stateless\f[R] blacklist will be generated.
The firewall will REJECT all traffic going to the IP addresses and DROP
all traffic coming from them.
.PP
If the type \f[V]stateful\f[R] is supplied, a bidirectional
\f[I]stateful\f[R] blacklist will be generated.
The firewall will REJECT all traffic going to the IP addresses and DROP
all traffic coming from them.
.PP
The differences between \f[V]full\f[R] and \f[V]stateful\f[R] are:
.IP "1." 3
\f[V]stateful\f[R] is resource efficient, since only the packets that
initiate connections are examined.
Established connections will never be re-tested against the blacklist.
.IP "2." 3
when using \f[V]full\f[R] and an ipset is updated to match the IP of an
established connection, this established connection will immediately be
blocked too.
.PP
If the type \f[V]input\f[R] or \f[V]him\f[R], \f[V]her\f[R],
\f[V]it\f[R], \f[V]this\f[R], \f[V]these\f[R] is supplied, a
unidirectional \f[I]stateful\f[R] blacklist will be generated.
Connections can be established to such IP addresses, but the IP
addresses will not be able to connect to the firewall or hosts protected
by it.
.PP
Using \f[V]log\f[R] (log every packet), \f[V]connlog\f[R] (log
connections once), or \f[V]loglimit\f[R] (log packets according to
global throttling settings), the \f[V]text\f[R] will be logged when
matching packets are found.
.PP
Using \f[V]nolog\f[R] will disable logging for this rule.
.PP
Using \f[V]inface\f[R], the blacklist will be created on the interface
\f[V]device\f[R] only (this includes forwarded traffic).
.PP
\f[V]accounting\f[R] will update the NFACCT accounting with the name
given.
.PP
If the keyword \f[V]except\f[R] is found, then all the parameters
following it are rules to match packets that should excluded from the
blacklist (i.e.\ they are a whitelist for this blacklist).
See firehol-params(5) for more details.
.PP
Blacklists must be declared before the first router or interface.
.PP
IP Lists for abuse, malware, attacks, proxies, anonymizers, etc can be
downloaded with the contrib/update-ipsets.sh script.
Information about the supported IP Lists can be found at FireHOL IP
Lists (http://iplists.firehol.org/)
.SH EXAMPLES
.IP
.nf
\f[C]
blacklist full 192.0.2.1 192.0.2.2
blacklist input \[dq]192.0.2.3 192.0.2.4\[dq]
blacklist full inface eth0 log \[dq]BADGUY\[dq] 192.0.1.1 192.0.1.2
\f[R]
.fi
.SH SEE ALSO
.IP \[bu] 2
firehol(1) - FireHOL program
.IP \[bu] 2
firehol.conf(5) - FireHOL configuration
.IP \[bu] 2
FireHOL Website (http://firehol.org/)
.IP \[bu] 2
FireHOL Online PDF Manual (http://firehol.org/firehol-manual.pdf)
.IP \[bu] 2
FireHOL Online Documentation (http://firehol.org/documentation/)
.IP \[bu] 2
FireHOL IP Lists (http://iplists.firehol.org/)
.SH AUTHORS
FireHOL Team.