Hi, I''m using shorewall 4.4.26.1 and i have a personal blacklist file that i want to apply to entire local network except some special users. Reading the docs i see the option to whitelist in /etc/shorewall/blacklist file but for me isn''t working. In my /etc/shorewall/blacklist I have: 10.1.106 tcp 443 whitelist INCLUDE /etc/shorewall/https (my blacklist) How to exclude the internal ip and firewall ip from that blacklist? Thanks, Wilson ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Wilson A. Galafassi Jr. skrev den 2013-02-27 19:59:> 10.1.106 tcp 443 whitelist > INCLUDE /etc/shorewall/https (my blacklist) > > How to exclude the internal ip and firewall ip from that blacklist?change it to use blrules file, start with the whitelist on the top of the file, and then follow it by a blacklist in same file, that should be it imho :) ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Hi, I figure how to do this using the rules file: SECTION BLACKLIST WHITELIST loc:10.1.1.107 all INCLUDE /etc/shorewall/https In /etc/shorewall/https DROP loc net: 173.252.100.27 Now I have another question: to reload the blacklist I''m using the command: shorewall refresh loc2net and the rule appears if i use the command iptables -L but the blocking doesn''t work using the refresh command. Only works if I use the shorewall restart command. Why the rule appear but only work if I restart the shorewall? In shorewall.conf I have the option: BLACKLISTNEWONLY=No Thanks again, Wilson -----Mensagem original----- De: Benny Pedersen [mailto:me@junc.eu] Enviada em: quarta-feira, 27 de fevereiro de 2013 16:32 Para: shorewall-users@lists.sourceforge.net Assunto: Re: [Shorewall-users] blacklist and whitelist Wilson A. Galafassi Jr. skrev den 2013-02-27 19:59:> 10.1.106 tcp 443 whitelist > INCLUDE /etc/shorewall/https (my blacklist) > > How to exclude the internal ip and firewall ip from that blacklist?change it to use blrules file, start with the whitelist on the top of the file, and then follow it by a blacklist in same file, that should be it imho :) ---------------------------------------------------------------------------- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Wilson A. Galafassi Jr. skrev den 2013-02-27 22:04:> I figure how to do this using the rules file:http://www.shorewall.net/manpages/shorewall-blrules.html ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Hi, If i use shorewall restar the blocking works fine, but If I use shorewall refresh doesn''t but the rule appear using iptables -L Some idea? Thanks, Wilson -----Mensagem original----- De: Benny Pedersen [mailto:me@junc.eu] Enviada em: quarta-feira, 27 de fevereiro de 2013 19:39 Para: shorewall-users@lists.sourceforge.net Assunto: Re: [Shorewall-users] RES: blacklist and whitelist Wilson A. Galafassi Jr. skrev den 2013-02-27 22:04:> I figure how to do this using the rules file:http://www.shorewall.net/manpages/shorewall-blrules.html ---------------------------------------------------------------------------- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
On 2/27/13 4:09 PM, "Wilson A. Galafassi Jr." <wilson.galafassi@gmail.com> wrote:>Hi, > >If i use shorewall restar the blocking works fine, but If I use shorewall >refresh doesn''t but the rule appear using iptables -L > >Some idea?When you ''shorewall refresh'', you should see a progress message similar to this one: Preparing iptables-restore input for chains net-dmz~ ~blacklist1 reject net-fw~ mangle: Which chains are listed in your message? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Wilson A. Galafassi Jr. skrev den 2013-02-28 01:09:> If i use shorewall restar the blocking works fine, but If I use > shorewall > refresh doesn''t but the rule appear using iptables -Lyes as you see a restart is needed to reconfigure iptables rules, if you want to have dynamic blacklist then use shorewall allow <ip> or shorewall drop <ip> both have log variants, but it will help me if you show why you need to reload/restart firewall ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
On 2/27/13 4:35 PM, "Benny Pedersen" <me@junc.eu> wrote:>Wilson A. Galafassi Jr. skrev den 2013-02-28 01:09: >> If i use shorewall restar the blocking works fine, but If I use >> shorewall >> refresh doesn''t but the rule appear using iptables -L > >yes as you see a restart is needed to reconfigure iptables rules, if >you want to have dynamic blacklist then use shorewall allow <ip> or >shorewall drop <ip> both have log variants, but it will help me if you >show why you need to reload/restart firewallBy default, ''refresh'' reloads all blacklist chains. But if new chains are added, ''refresh'' won''t create jumps to those chains; that requires ''restart''. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
I have this:
Compiling /etc/shorewall/rules...
Rule "DROP loc net:173.252.100.27" Compiled
Rule "DROP loc net:173.252.101.26" Compiled
Rule "DROP loc net:173.252.110.27" Compiled
Rule "DROP loc net:66.220.152.19" Compiled
Because I have in rules file:
SECTION BLACKLIST
INCLUDE /etc/shorewall/https with that content.
And about you mentioned I have:
Creating iptables-restore input...
Compiling iptables-restore input for chains loc2net~ mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.refresh
Refreshing Shorewall....
Initializing...
Loading Modules...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input for chains loc2net~ mangle:...
Running iptables-restore...
IPv4 Forwarding Enabled
done.
Thanks,
Wilson
-----Mensagem original-----
De: Tom Eastep [mailto:teastep@shorewall.net]
Enviada em: quarta-feira, 27 de fevereiro de 2013 21:19
Para: Shorewall Users
Assunto: Re: [Shorewall-users] RES: RES: blacklist and whitelist
On 2/27/13 4:09 PM, "Wilson A. Galafassi Jr."
<wilson.galafassi@gmail.com>
wrote:
>Hi,
>
>If i use shorewall restar the blocking works fine, but If I use
>shorewall refresh doesn''t but the rule appear using iptables -L
>
>Some idea?
When you ''shorewall refresh'', you should see a progress
message similar to
this one:
Preparing iptables-restore input for chains net-dmz~ ~blacklist1 reject
net-fw~ mangle:Š
Which chains are listed in your message?
-Tom
You do not need a parachute to skydive. You only need a parachute to skydive
twice.
----------------------------------------------------------------------------
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics Download AppDynamics Lite for
free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
I need to reload because the whitelist is dynamics and the hosts file change continuously. I have made a script to block some hosts... so the script grab the ip of the host and add to the blacklist file... but the host have alot of ips and every new ip I will add to the blacklist. Some other suggestion? Thanks, Wilson -----Mensagem original----- De: Tom Eastep [mailto:teastep@shorewall.net] Enviada em: quarta-feira, 27 de fevereiro de 2013 21:46 Para: Shorewall Users Assunto: Re: [Shorewall-users] RES: RES: blacklist and whitelist On 2/27/13 4:35 PM, "Benny Pedersen" <me@junc.eu> wrote:>Wilson A. Galafassi Jr. skrev den 2013-02-28 01:09: >> If i use shorewall restar the blocking works fine, but If I use >> shorewall refresh doesn''t but the rule appear using iptables -L > >yes as you see a restart is needed to reconfigure iptables rules, if >you want to have dynamic blacklist then use shorewall allow <ip> or >shorewall drop <ip> both have log variants, but it will help me if you >show why you need to reload/restart firewallBy default, ''refresh'' reloads all blacklist chains. But if new chains are added, ''refresh'' won''t create jumps to those chains; that requires ''restart''. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ---------------------------------------------------------------------------- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
and i have the need to some hosts in the internal network to be whitelisted and doesn''t be affected by the blacklist. If I use dynamic blacklist the whitelist function works in the same way? -----Mensagem original----- De: Tom Eastep [mailto:teastep@shorewall.net] Enviada em: quarta-feira, 27 de fevereiro de 2013 21:46 Para: Shorewall Users Assunto: Re: [Shorewall-users] RES: RES: blacklist and whitelist On 2/27/13 4:35 PM, "Benny Pedersen" <me@junc.eu> wrote:>Wilson A. Galafassi Jr. skrev den 2013-02-28 01:09: >> If i use shorewall restar the blocking works fine, but If I use >> shorewall refresh doesn''t but the rule appear using iptables -L > >yes as you see a restart is needed to reconfigure iptables rules, if >you want to have dynamic blacklist then use shorewall allow <ip> or >shorewall drop <ip> both have log variants, but it will help me if you >show why you need to reload/restart firewallBy default, ''refresh'' reloads all blacklist chains. But if new chains are added, ''refresh'' won''t create jumps to those chains; that requires ''restart''. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ---------------------------------------------------------------------------- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
If you are needing to adjust lists of IP''s frequently then I''d suggest either using the shorewall dynamic features though not familiar with those so can''t offer much advise or alternatively do you have ipset match in your kernel? You can easily edit your list on the fly then whenever you want to. On 28/02/13 02:40, Wilson A. Galafassi Jr. wrote:> and i have the need to some hosts in the internal network to be whitelisted > and doesn''t be affected by the blacklist. If I use dynamic blacklist the > whitelist function works in the same way? > > -----Mensagem original----- > De: Tom Eastep [mailto:teastep@shorewall.net] > Enviada em: quarta-feira, 27 de fevereiro de 2013 21:46 > Para: Shorewall Users > Assunto: Re: [Shorewall-users] RES: RES: blacklist and whitelist > > On 2/27/13 4:35 PM, "Benny Pedersen" <me@junc.eu> wrote: > >> Wilson A. Galafassi Jr. skrev den 2013-02-28 01:09: >>> If i use shorewall restar the blocking works fine, but If I use >>> shorewall refresh doesn''t but the rule appear using iptables -L >> yes as you see a restart is needed to reconfigure iptables rules, if >> you want to have dynamic blacklist then use shorewall allow <ip> or >> shorewall drop <ip> both have log variants, but it will help me if you >> show why you need to reload/restart firewall > By default, ''refresh'' reloads all blacklist chains. But if new chains are > added, ''refresh'' won''t create jumps to those chains; that requires > ''restart''. > > -Tom > You do not need a parachute to skydive. You only need a parachute to skydive > twice. > > > > > > ---------------------------------------------------------------------------- > -- > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics Lite for > free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
Yes. I''ve understand now. Thanks. -----Mensagem original----- De: Tom Eastep [mailto:teastep@shorewall.net] Enviada em: quarta-feira, 27 de fevereiro de 2013 21:46 Para: Shorewall Users Assunto: Re: [Shorewall-users] RES: RES: blacklist and whitelist On 2/27/13 4:35 PM, "Benny Pedersen" <me@junc.eu> wrote:>Wilson A. Galafassi Jr. skrev den 2013-02-28 01:09: >> If i use shorewall restar the blocking works fine, but If I use >> shorewall refresh doesn''t but the rule appear using iptables -L > >yes as you see a restart is needed to reconfigure iptables rules, if >you want to have dynamic blacklist then use shorewall allow <ip> or >shorewall drop <ip> both have log variants, but it will help me if you >show why you need to reload/restart firewallBy default, ''refresh'' reloads all blacklist chains. But if new chains are added, ''refresh'' won''t create jumps to those chains; that requires ''restart''. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ---------------------------------------------------------------------------- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb