Quick questions to you all: I wish to define a couple of ipsets (3 ip sets containing about 17,000+ subnets plus about 10 portmap sets containing just port numbers). The IP sets (the large ones) are mainly to include them in my blacklist, but I would also like to use the portmap sets in my rules file for port matching. I figured how to define/use the IP port sets, i.e.: ---blacklist----------- #ADDRESS/SUBNET PROTOCOL PORT +blacklisted #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ---------------------- (the ''blacklisted'' set is loaded automatically when shorewall starts - in the init file). So, that part works as expected, though I have a query - Does the above blocks incoming AS WELL AS outgoing connections to those subnets included in the ip set? Also, I see that there are two additional options defined in the manual - ''src'' and ''dst'', i.e. +blacklisted[src,dst] may also be used. What is the purpose and functionality of these 2 options? The manual contains about a single line mentioning this and no other explanation is given - at least I could not find any! Second query - I could not manage to make my portmap sets work in my shorewall rules file. When I try the following: --------rules------- ############################################################################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP ACCEPT $FW net tcp +ip-portmap-set ------------------- and try to compile the above I get an error that the service ''+ip-portmap-set'' is not recognised (the set is of type portmap and is already loaded with the ipsets -R - no problem). So, my question is - what have I done wrong? Is there a way I can define portmap ip sets and use them in my rules file and if so how do I go about doing that? Thanks a lot! ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/14/10 3:37 PM, Mr Dash Four wrote:> Quick questions to you all: > > I wish to define a couple of ipsets (3 ip sets containing about 17,000+ > subnets plus about 10 portmap sets containing just port numbers). The IP > sets (the large ones) are mainly to include them in my blacklist, but I > would also like to use the portmap sets in my rules file for port matching. > > I figured how to define/use the IP port sets, i.e.: > > ---blacklist----------- > #ADDRESS/SUBNET PROTOCOL PORT > +blacklisted > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > ---------------------- > (the ''blacklisted'' set is loaded automatically when shorewall starts - > in the init file). > > So, that part works as expected, though I have a query - Does the above > blocks incoming AS WELL AS outgoing connections to those subnets > included in the ip set?No -- read ''man shorewall-blacklist'' Also, I see that there are two additional> options defined in the manual - ''src'' and ''dst'', i.e. > +blacklisted[src,dst] may also be used. What is the purpose and > functionality of these 2 options? The manual contains about a single > line mentioning this and no other explanation is given - at least I > could not find any! >They are used in "ipset binding" which is no longer supported by the current version of ipsets. You can read about them in the documentation accompanying older versions of ipsets.> > Second query - I could not manage to make my portmap sets work in my > shorewall rules file. When I try the following: > > --------rules------- > ############################################################################################################# > #ACTION SOURCE DEST > PROTO DEST SOURCE ORIGINAL > RATE USER/ MARK > # PORT > PORT(S) DEST LIMIT GROUP > > ACCEPT $FW net > tcp +ip-portmap-set > ------------------- > > > and try to compile the above I get an error that the service > ''+ip-portmap-set'' is not recognised (the set is of type portmap and is > already loaded with the ipsets -R - no problem).Nowhere in the Shorewall documentation will you find any claim that such a construct will work. It won''t. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
Tom Eastep wrote:>> ---blacklist----------- >> #ADDRESS/SUBNET PROTOCOL PORT >> +blacklisted >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >> ---------------------- >> (the ''blacklisted'' set is loaded automatically when shorewall starts - >> in the init file). >> >> So, that part works as expected, though I have a query - Does the above >> blocks incoming AS WELL AS outgoing connections to those subnets >> included in the ip set? >> > > No -- read ''man shorewall-blacklist'' >I see! So ''blacklist'' in shorewall terms means ''blocking-source-IP-addresses-or-subnets-only''. That''s a bit daft! It would have been better if I could ..erm... blacklist connections to AND from IP addresses specified in the blacklist file, otherwise what is the point of calling it, rather misleadingly, ''blacklist'' when connections TO the ''blacklisted'' IP addresses are still allowed?! To mitigate this, I now need to create extra rules in my ''rules'' file like: DROP $FW net:+blacklisted Not very clever, is it? I may as well not bother with this ''blacklist'' business and keep everything in one place - in the rules file - and create a pair of such rules to block everything.>> Second query - I could not manage to make my portmap sets work in my >> shorewall rules file. When I try the following: >> >> --------rules------- >> ############################################################################################################# >> #ACTION SOURCE DEST >> PROTO DEST SOURCE ORIGINAL >> RATE USER/ MARK >> # PORT >> PORT(S) DEST LIMIT GROUP >> >> ACCEPT $FW net >> tcp +ip-portmap-set >> ------------------- >> >> >> and try to compile the above I get an error that the service >> ''+ip-portmap-set'' is not recognised (the set is of type portmap and is >> already loaded with the ipsets -R - no problem). >> > > Nowhere in the Shorewall documentation will you find any claim that such > a construct will work. It won''t. >Read the above again - where did I state that I expected it to ''work''? I am getting an error, so it is obvious that it is not working, hence my initial query. The idea was to use the portmap sets with shorewall in the same way I use ipmap/iptreemap ones. That was the whole reason for my second query - I though that was pretty clear (well, not for you, obviously). Oh, and you can dispense with the arsey comments - I asked for a bit of help, if you can''t (or are unwilling) to provide such help, then don''t bother - move along, nothing to see here. Simple as really! ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
On 6/15/10 10:33 AM, Mr Dash Four wrote:>> >> No -- read ''man shorewall-blacklist'' >> > I see! So ''blacklist'' in shorewall terms means > ''blocking-source-IP-addresses-or-subnets-only''. That''s a bit daft! It > would have been better if I could ..erm... blacklist connections to AND > from IP addresses specified in the blacklist file, otherwise what is the > point of calling it, rather misleadingly, ''blacklist'' when connections > TO the ''blacklisted'' IP addresses are still allowed?!You too, sir, can dispense with the arsey comments.>> > Read the above again - where did I state that I expected it to ''work''? I > am getting an error, so it is obvious that it is not working, hence my > initial query. The idea was to use the portmap sets with shorewall in > the same way I use ipmap/iptreemap ones. That was the whole reason for > my second query - I though that was pretty clear (well, not for you, > obviously).The syntax for using ipsets is the same, regardless of the set type. ACCEPT $FW net:+ip-portmap-set tcp -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo