Hello, Is is possible to do "shorewall reject 1.1.1.1 tcp 25" ? So I can dynamically blacklist offensive smtp senders, but only have shorewall reject certain types (smtp) traffic from them? Thanks, Alex Martin http://www.rettc.com
Ben Greiner
2005-Feb-12 03:36 UTC
Re: Is is possible to do "shorewall reject 1.1.1.1 tcp 25"
I didn''t tried it, but what I would do is: - creating a new zone, let''s say "rsmtp" - creating a rule that for hosts in this zone smtp access should be rejected - dynamically adding hosts to this zone via shorewall add The rule should appear somewhere in the beginning of the rules file, before other traffic from net is handled. /ben On 12.02.2005 03:38, Alex Martin wrote:> Hello, > > Is is possible to do "shorewall reject 1.1.1.1 tcp 25" ? > > So I can dynamically blacklist offensive smtp senders, but only have > shorewall reject certain types (smtp) traffic from them? > > Thanks, > > Alex Martin > http://www.rettc.com > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Ben Greiner
2005-Feb-12 03:38 UTC
Re: Is is possible to do "shorewall reject 1.1.1.1 tcp 25"
Sorry, one more comment: if you do it this way, the "blacklist" will be lost after shorewall restart, if you don''t save it elsewhere. On 12.02.2005 04:36, Ben Greiner wrote:> I didn''t tried it, but what I would do is: > > - creating a new zone, let''s say "rsmtp" > > - creating a rule that for hosts in this zone smtp access should be > rejected > > - dynamically adding hosts to this zone via shorewall add > > The rule should appear somewhere in the beginning of the rules file, > before other traffic from net is handled. > > /ben > > > On 12.02.2005 03:38, Alex Martin wrote: > >> Hello, >> >> Is is possible to do "shorewall reject 1.1.1.1 tcp 25" ? >> >> So I can dynamically blacklist offensive smtp senders, but only have >> shorewall reject certain types (smtp) traffic from them? >> >> Thanks, >> >> Alex Martin >> http://www.rettc.com >> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Alex Martin
2005-Feb-12 04:24 UTC
Re: Is is possible to do "shorewall reject 1.1.1.1 tcp 25"
Ben Greiner wrote:> I didn''t tried it, but what I would do is: > > - creating a new zone, let''s say "rsmtp" > > - creating a rule that for hosts in this zone smtp access should be > rejected > > - dynamically adding hosts to this zone via shorewall addGreat idea! I guess, then, is there a way to extract the hosts that have been dynamically added to this zone, so I could populate a static list that could be used for the blacklist file when i do a shorewall restart? Thanks, Alex Martin http://www.rettc.com
Ben Greiner
2005-Feb-12 18:26 UTC
Re: Is is possible to do "shorewall reject 1.1.1.1 tcp 25"
On 12.02.2005 05:24, Alex Martin wrote:> Ben Greiner wrote: > >> I didn''t tried it, but what I would do is: >> >> - creating a new zone, let''s say "rsmtp" >> >> - creating a rule that for hosts in this zone smtp access should be >> rejected >> >> - dynamically adding hosts to this zone via shorewall add > > > Great idea! > > I guess, then, is there a way to extract the hosts that have been > dynamically added to this zone, so I could populate a static list that > could be used for the blacklist file when i do a shorewall restart? >shorewall show zones For a different purpose, I use php to format the output. This looks like the following function. the global var $shorewall_zones is an array of zone names which I would like to have in the output of the function, set in my config files. The function returns an array of these zones, where each zone itself is represented by an array of the hosts in it. function shorewall__read_zones() { global $shorewall__zones; $done=exec(''sudo /sbin/shorewall show zones'',$zonestext,$rvar); $i=0; $zone=none; $zones=array(); foreach ($zonestext as $entry) { if (substr($entry,0,1)==" ") $zones[$zone][trim($entry)]=true; else $zone=trim($entry); } $realzones=array(); foreach ($zones as $zname=>$zarray) { if (in_array($zname,$shorewall__zones)) $realzones[$zname]=$zarray; } return $realzones; } /ben>