BlackList
#http://shorewall.net/blacklisting_support.htm
Example 1:
To block DNS queries from address 192.0.2.126:
#ADDRESS/SUBNET PROTOCOL PORT 192.0.2.126 udp 53
Example 2:
To block some of the nuisance applications:
#ADDRESS/SUBNET PROTOCOL PORT - udp 1024:1033,1434 - tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
--------------------------------------------------------------------------------------------------------
------------------------
# Shorewall version 3.4 - Blacklist File
#
# For information about entries in this file, type "man shorewall-blacklist"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
###############################################################################
#ADDRESS/SUBNET PROTOCOL PORT
41.203.67.144
#192.168.10.250
#192.168.10.184
#~00-0F-FE-2C-F0-C9
#192.168.10.151
#~00-0F-FE-32-B2-4F
#192.168.10.196
#~00-0F-FE-32-B1-61
#192.168.10.214
#~00-24-81-8F-0D-AE
#192.168.10.155
#~18-A9-05-F2-05-A4
#192.168.10.184
#~00-19-BB-5A-9F-A4
#192.168.10.153
#~00-0F-FE-3A-97-D3
#192.168.10.227
#~00-24-81-13-43-BF
#192.168.10.198
#192.168.10.243
#~00:24:81:13:0E:61
#192.168.10.194(This command mail and browse both off)
#192.168.10.194 tcp 80,8080,3128 (this command for browse totally off and mail ok)
#192.168.10.243
#~00-21-85-71-4E-12
#Request BY Shahed
#192.168.10.193
#192.168.10.231
#Feb 14 2012 accounts
~00-0c-f1-e8-8a-94
#(cma2) via eth1
#(cont02)
~00-24-81-13-0e-58 tcp 25
~00-24-81-13-0e-11 tcp 25
~00-24-81-13-44-f8 tcp 25
~00-1c-c4-67-72-dd tcp 25
~00-1d-09-24-2a-cc tcp 25
~00-24-81-13-45-28 tcp 25
~00-24-81-13-0e-46 tcp 25
~00-24-81-13-0E-47 tcp 25
~00-24-81-13-43-BF tcp 25
##192.168.10.117
~2C-27-D7-30-C8-1D tcp 8080,80,3128
###Blocked as per DGM IT request
#192.168.10.140
#~00-24-81-13-0D-D7
#192.168.10.95
##192.168.10.218
~00-1C-23-4F-40-30
####
#192.168.10.251
#~00-0F-FE-62-68-AE tcp 8080,80,3128
#192.168.10.240
#~00-24-81-13-0E-11 tcp 8080,80,3128
#192.168.10.110
~00-24-81-13-0E-47
#192.168.10.109
#192.168.10.218
~00-1C-23-4F-40-30 tcp 8080,80,3128
#blocked for sending spam ip 155
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
----------XXXXXXXXX----------------XXXXXXXXXXXXXXXXXXX-----------------XXXXXXXXXXXXXXX---------------
############### ################# ############### ################# ################
#vi /etc/shorewall/shorewall.conf
The following options may be set in shorewall.conf.
ACCEPT_DEFAULT={action[(parameters)][:level]|none}
DROP_DEFAULT={action[(parameters)][:level]|none}
NFQUEUE_DEFAULT={action[(parameters)][:level]|none}
QUEUE_DEFAULT={action[(parameters)][:level]|none}
REJECT_DEFAULT={action[(parameters)][:level]|none}
In earlier Shorewall versions, a "default action" for DROP and REJECT policies was specified in the file /usr/share/shorewall/actions.std.
In Shorewall 4.4.0, the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options were added.
DROP_DEFAULT describes the rules to be applied before a connection request is dropped by a DROP policy; REJECT_DEFAULT describes the rules to be applied if a connection request is rejected by a REJECT policy. The other three are similar for ACCEPT, QUEUE and NFQUEUE policies.
The value applied to these may be:
The default values are:
# vi /etc/shorewall/blacklist
# Shorewall version 4 - Blacklist File
# Shakil
#ADDRESS/SUBNET PROTOCOL PORT
- udp 67,68,123,135,137,139
- tcp 82,135,137,139,420
#192.168.1.207 / blocked again as antivirus was updated
#~00-1B-38-2E-E3-D7
#215
#~00-1C-C0-43-09-F1
#231
#~00-E0-4C-E2-E7-EB
#210
#~00-1C-C0-3A-9B-E2
#226
#~00-0B-DB-55-D5-A3
##192.168.1.213 & 209, 207
#~00-0B-DB-55-D3-A8
#~00-24-81-15-96-2F
#~00-1B-38-2E-E3-D7
#~00-14-0B-0D-B4-8D
#~00-1F-D0-C8-D5-71
#~00-0B-DB-55-D5-FA
#mx.agni.com
202.53.160.8
#~00-0B-DB-55-D5-A3
#Rakesh
#~00-16-D4-EE-E8-C5
#Rakib
#
#~00-1C-C0-43-09-F1
#235
#
#~00-0E-A6-E1-20-FB
#~00-1D-92-B8-E1-E8
77.67.2.176
77.67.2.177
77.67.2.178
77.67.2.179
-------------------------------------------------------------------------------------------------------
Shorewall Blacklisting/Whitelisting Support
Tom Eastep
Copyright © 2002-2006, 2010, 2011 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2016/02/17
Table of Contents
Caution
This article applies to Shorewall 4.4 and later. If you are running a version of Shorewall earlier than Shorewall 4.3.5 then please see the documentation for that release.
Introduction
Shorewall supports two different types of blackliisting; rule-based, static and dynamic. The BLACKLIST option in /etc/shorewall/shorewall.conf controls the degree of blacklist filtering.
The BLACKLIST option lists the Netfilter connection-tracking states that blacklist rules are to be applied to (states are NEW, ESTABLISHED, RELATED, INVALID, NOTRACK). The BLACKLIST option supersedes the BLACKLISTNEWONLY option:
BLACKLISTNEWONLY=No -- All incoming packets are checked against the blacklist. New blacklist entries can be used to terminate existing connections.
BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new connection requests. Blacklists may not be used to terminate existing connections.
Important
For automatic blacklisting based on exceeding defined threshholds, see Events.
Rule-based Blacklisting
Beginning with Shorewall 4.4.25, the preferred method of blacklisting and whitelisting is to use the blrules file (shorewall-blrules (5)). There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions, standard and custom macros as well as standard and custom actions. See shorewall-rules (5) for details.
Example:
#ACTION SOURCE DEST PROTO DEST # PORTS(S) SECTION BLACKLIST WHITELIST net:70.90.191.126 all DROP net all udp 1023:1033,1434,5948,23773 DROP all net udp 1023:1033 DROP net all tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773 DROP net:221.192.199.48 all DROP net:61.158.162.9 all DROP net:81.21.54.100 all tcp 25 DROP net:84.108.168.139 all DROP net:200.55.14.18 all
Beginning with Shorewall 4.4.26, the update command supports a -b option that causes your legacy blacklisting configuration to use the blrules file.
Note
If you prefer to keep your blacklisting rules in your rules file (shorewall-rules (5)), you can place them in the BLACKLIST section of that file rather than in blrules.
Legacy Blacklisting
Prior to 4.4.25, two forms of blacklisting were supported; static and dynamic. The dynamic variety is still appropriate for on-the-fly blacklisting; the static form is deprecated.
Important
By default, only the source address is checked against the blacklists. Blacklists only stop blacklisted hosts from connecting to you — they do not stop you or your users from connecting to blacklisted hosts .
UPDATE
Beginning with Shorewall 4.4.12, you can also blacklist by destination address. See shorewall-blacklist (5) and shorewall (8) for details.
Important
Dynamic Shorewall blacklisting is not appropriate for blacklisting 1,000s of different addresses. Static Blacklisting can handle large blacklists but only if you use ipsets. Without ipsets, the blacklists will take forever to load, and will have a very negative effect on firewall performance.
Static Blacklisting
Shorewall static blacklisting support has the following configuration parameters:
You specify whether you want packets from blacklisted hosts dropped or rejected using the BLACKLIST_DISPOSITION setting in shorewall.conf(5).
You specify whether you want packets from blacklisted hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL setting in shorewall.conf(5).
You list the IP addresses/subnets that you wish to blacklist in shorewall-blacklist (5). You may also specify PROTOCOL and Port numbers/Service names in the blacklist file.
You specify the interfaces whose incoming packets you want checked against the blacklist using the “blacklist”option in shorewall-interfaces(5) (shorewall-zones(5) in Shorewall 4.4.12 and later).
Prior to Shorewall 4.4.20, only source-address static blacklisting was supported.
Users with a large static black list may want to set the DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version 2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections before loading the blacklist rules. While this may allow connections from blacklisted hosts to slip by during construction of the blacklist, it can substantially reduce the time that all new connections are disabled during "shorewall [re]start".
Beginning with Shorewall 2.4.0, you can use ipsets to define your static blacklist. Here's an example:
#ADDRESS/SUBNET PROTOCOL PORT +Blacklistports[dst] +Blacklistnets[src,dst] +Blacklist[src,dst] #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
In this example, there is a portmap ipset Blacklistports that blacklists all traffic with destination ports included in the ipset. There are also Blacklistnets (type nethash) and Blacklist (type iphash) ipsets that allow blacklisting networks and individual IP addresses. Note that [src,dst] is specified so that individual entries in the sets can be bound to other portmap ipsets to allow blacklisting (source address, destination port) combinations. For example:
ipset -N SMTP portmap --from 1 --to 31 ipset -A SMTP 25 ipset -A Blacklist 206.124.146.177 ipset -B Blacklist 206.124.146.177 -b SMTP
This will blacklist SMTP traffic from host 206.124.146.177.
Static Whitelisting
Beginning with Shorewall 4.4.20, you can create whitelist entries in the blacklist file. Connections/packets matching a whitelist entry are not matched against the entries in the blacklist file that follow. Whitelist entries are created using the whitelist option (OPTIONS column). See shorewall-blacklist (5).
Dynamic Blacklisting
Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by setting DYNAMIC_BLACKLIST=Yes inshorewall.conf. Prior to that release, the feature is always enabled.
Once enabled, dynamic blacklisting doesn't use any configuration parameters but is rather controlled using /sbin/shorewall[-lite] commands. Note that to and from may only be specified when running Shorewall 4.4.12 or later.
drop [to|from] <ip address list> - causes packets from the listed IP addresses to be silently dropped by the firewall.
reject [to|from]<ip address list> - causes packets from the listed IP addresses to be rejected by the firewall.
allow [to|from] <ip address list> - re-enables receipt of packets from hosts previously blacklisted by a drop orreject command.
save - save the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall is restarted.
Update: Beginning with Shorewall 4.4.10, the dynamic blacklist is automatically retained over stop/startsequences and over restart.
show dynamic - displays the dynamic blacklisting configuration.
logdrop [to|from] <ip address list> - causes packets from the listed IP addresses to be dropped and logged by the firewall. Logging will occur at the level specified by the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at the 'info' level if no BLACKLIST_LOGLEVEL was given).
logreject [to|from}<ip address list> - causes packets from the listed IP addresses to be rejected and logged by the firewall. Logging will occur at the level specified by the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at the 'info' level if no BLACKLIST_LOGLEVEL was given).
Dynamic blacklisting is not dependent on the “blacklist” option in /etc/shorewall/interfaces.
Example 1. Ignore packets from a pair of systems
shorewall[-lite] drop 192.0.2.124 192.0.2.125
Drops packets from hosts 192.0.2.124 and 192.0.2.125
Example 2. Re-enable packets from a system
shorewall[-lite] allow 192.0.2.125
Re-enables traffic from 192.0.2.125.
Example 3. Displaying the Dynamic Blacklist
shorewall show dynamic
Displays the 'dynamic' chain which contains rules for the dynamic blacklist. The source column contains the set of blacklisted addresses.