'\" t .\" Title: shorewall-blacklist .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.75.2 .\" Date: 06/28/2012 .\" Manual: [FIXME: manual] .\" Source: [FIXME: source] .\" Language: English .\" .TH "SHOREWALL\-BLACKLIST" "5" "06/28/2012" "[FIXME: source]" "[FIXME: manual]" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" blacklist \- Shorewall Blacklist file .SH "SYNOPSIS" .HP \w'\fB/etc/shorewall/blacklist\fR\ 'u \fB/etc/shorewall/blacklist\fR .SH "DESCRIPTION" .PP The blacklist file is used to perform static blacklisting\&. You can blacklist by source address (IP or MAC), or by application\&. .PP The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax)\&. .PP \fBADDRESS/SUBNET\fR (networks) \- {\fB\-\fR|\fB~\fR\fImac\-address\fR|\fIip\-address\fR|\fIaddress\-range\fR|\fB+\fR\fIipset\fR} .RS 4 Host address, network address, MAC address, IP address range (if your kernel and iptables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match)\&. Exclusion (\m[blue]\fBshorewall\-exclusion\fR\m[]\&\s-2\u[1]\d\s+2(5)) is supported\&. .sp MAC addresses must be prefixed with "~" and use "\-" as a separator\&. .sp Example: ~00\-A0\-C9\-15\-39\-78 .sp A dash ("\-") in this column means that any source address will match\&. This is useful if you want to blacklist a particular application using entries in the PROTOCOL and PORTS columns\&. .RE .PP \fBPROTOCOL\fR (proto) \- {\fB\-\fR|[!]\fIprotocol\-number\fR|[!]\fIprotocol\-name\fR} .RS 4 Optional \- If specified, must be a protocol number or a protocol name from protocols(5)\&. .RE .PP \fBPORTS\fR \- {\fB\-\fR|[!]\fIport\-name\-or\-number\fR[,\fIport\-name\-or\-number\fR]\&.\&.\&.} .RS 4 Optional \- may only be specified if the protocol is TCP (6) or UDP (17)\&. A comma\-separated list of destination port numbers or service names from services(5)\&. .RE .PP OPTIONS \- {\-|{dst|src|whitelist|audit}[,\&.\&.\&.]} .RS 4 Optional \- added in 4\&.4\&.12\&. If specified, indicates whether traffic \fIfrom\fR ADDRESS/SUBNET (\fBsrc\fR) or traffic \fIto\fR ADDRESS/SUBNET (\fBdst\fR) should be blacklisted\&. The default is \fBsrc\fR\&. If the ADDRESS/SUBNET column is empty, then this column has no effect on the generated rule\&. .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br In Shorewall 4\&.4\&.12, the keywords from and to were used in place of src and dst respectively\&. Blacklisting was still restricted to traffic \fIarriving\fR on an interface that has the \*(Aqblacklist\*(Aq option set\&. So to block traffic from your local network to an internet host, you had to specify \fBblacklist\fR on your internal interface in \m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2 (5)\&. .sp .5v .RE .if n \{\ .sp .\} .RS 4 .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBNote\fR .ps -1 .br Beginning with Shorewall 4\&.4\&.13, entries are applied based on the \fBblacklist\fR setting in \m[blue]\fBshorewall\-zones\fR\m[]\&\s-2\u[3]\d\s+2(5): .sp .RS 4 .ie n \{\ \h'-04' 1.\h'+01'\c .\} .el \{\ .sp -1 .IP " 1." 4.2 .\} \*(Aqblacklist\*(Aq in the OPTIONS or IN_OPTIONS column\&. Traffic from this zone is passed against the entries in this file that have the \fBsrc\fR option (specified or defaulted)\&. .RE .sp .RS 4 .ie n \{\ \h'-04' 2.\h'+01'\c .\} .el \{\ .sp -1 .IP " 2." 4.2 .\} \*(Aqblacklist\*(Aq in the OPTIONS or OUT_OPTIONS column\&. Traffic to this zone is passed against the entries in this file that have the \fBdst\fR option\&. .RE .sp .5v .RE In Shorewall 4\&.4\&.20, the \fBwhitelist\fR option was added\&. When \fBwhitelist\fR is specified, packets/connections that match the entry are not matched against the remaining entries in the file\&. .sp The \fBaudit\fR option was also added in 4\&.4\&.20 and causes packets matching the entry to be audited\&. The \fBaudit\fR option may not be specified in whitelist entries and require AUDIT_TARGET support in the kernel and iptables\&. .RE .PP .SH "EXAMPLE" .PP Example 1: .RS 4 To block DNS queries from address 192\&.0\&.2\&.126: .sp .if n \{\ .RS 4 .\} .nf #ADDRESS/SUBNET PROTOCOL PORT 192\&.0\&.2\&.126 udp 53 .fi .if n \{\ .RE .\} .RE .PP Example 2: .RS 4 To block some of the nuisance applications: .sp .if n \{\ .RS 4 .\} .nf #ADDRESS/SUBNET PROTOCOL PORT \- udp 1024:1033,1434 \- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898 .fi .if n \{\ .RE .\} .RE .SH "FILES" .PP /etc/shorewall/blacklist .SH "SEE ALSO" .PP \m[blue]\fBhttp://shorewall\&.net/blacklisting_support\&.htm\fR\m[] .PP \m[blue]\fBhttp://shorewall\&.net/configuration_file_basics\&.htm#Pairs\fR\m[] .PP shorewall(8), shorewall\-accounting(5), shorewall\-actions(5), shorewall\-hosts(5), shorewall_interfaces(5), shorewall\-ipsets(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-rtrules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-secmarks(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5) .SH "NOTES" .IP " 1." 4 shorewall-exclusion .RS 4 \%http://www.shorewall.net/manpages/shorewall-exclusion.html .RE .IP " 2." 4 shorewall-interfaces .RS 4 \%http://www.shorewall.net/manpages/shorewall-interfaces.html .RE .IP " 3." 4 shorewall-zones .RS 4 \%http://www.shorewall.net/manpages/shorewall-zones.html .RE