| SHOREWALL-BLACKLIST(5) | [FIXME: manual] | SHOREWALL-BLACKLIST(5) |
NAME¶
blacklist - Shorewall Blacklist fileSYNOPSIS¶
/etc/shorewall/blacklist
DESCRIPTION¶
The blacklist file is used to perform static blacklisting. You can blacklist by source address (IP or MAC), or by application. The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax). ADDRESS/SUBNET (networks) - {-|~mac-address|ip-address| address-range|+ipset}Host address, network address, MAC address, IP
address range (if your kernel and iptables contain iprange match support) or
ipset name prefaced by "+" (if your kernel supports ipset match).
Exclusion ( shorewall-exclusion[1](5)) is supported.
MAC addresses must be prefixed with "~" and use "-" as a
separator.
Example: ~00-A0-C9-15-39-78
A dash ("-") in this column means that any source address will match.
This is useful if you want to blacklist a particular application using entries
in the PROTOCOL and PORTS columns.
PROTOCOL (proto) -
{-|[!]protocol-number|[!]protocol-name}
Optional - If specified, must be a protocol
number or a protocol name from protocols(5).
PORTS -
{-|[!]port-name-or-number[,port-name-or-number]...}
Optional - may only be specified if the
protocol is TCP (6) or UDP (17). A comma-separated list of destination port
numbers or service names from services(5).
OPTIONS - {-|{dst|src|whitelist|audit}[,...]}
Optional - added in 4.4.12. If specified,
indicates whether traffic from ADDRESS/SUBNET ( src) or traffic
to ADDRESS/SUBNET ( dst) should be blacklisted. The default is
src. If the ADDRESS/SUBNET column is empty, then this column has no
effect on the generated rule.
Note
In Shorewall 4.4.12, the keywords from and to were used in place of src and dst
respectively. Blacklisting was still restricted to traffic arriving on
an interface that has the 'blacklist' option set. So to block traffic from
your local network to an internet host, you had to specify blacklist on
your internal interface in shorewall-interfaces[2] (5).
Note
Beginning with Shorewall 4.4.13, entries are applied based on the
blacklist setting in shorewall-zones[3](5):
In Shorewall 4.4.20, the whitelist option was added. When
whitelist is specified, packets/connections that match the entry are
not matched against the remaining entries in the file.
The audit option was also added in 4.4.20 and causes packets matching the
entry to be audited. The audit option may not be specified in whitelist
entries and require AUDIT_TARGET support in the kernel and iptables.
1.'blacklist' in the OPTIONS or IN_OPTIONS
column. Traffic from this zone is passed against the entries in this file that
have the src option (specified or defaulted).
2.'blacklist' in the OPTIONS or OUT_OPTIONS
column. Traffic to this zone is passed against the entries in this file that
have the dst option.
EXAMPLE¶
Example 1:To block DNS queries from address 192.0.2.126:
Example 2:
#ADDRESS/SUBNET PROTOCOL PORT
192.0.2.126 udp 53
To block some of the nuisance applications:
#ADDRESS/SUBNET PROTOCOL PORT
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
FILES¶
/etc/shorewall/blacklistSEE ALSO¶
http://shorewall.net/blacklisting_support.htm http://shorewall.net/configuration_file_basics.htm#Pairs shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)NOTES¶
- 1.
- shorewall-exclusion
- 2.
- shorewall-interfaces
- 3.
- shorewall-zones
| 06/28/2012 | [FIXME: source] |