As it turns out, I don''t think that it is necessary for Shorewall to have=20 explicit blacklist support since it can be implemented nicely already.=20 Whatever I did in the firewall script would just add code to duplicate much=20 of the following: In /etc/shorewall/zones: bl=09Blacklist=09List of black-listed hosts/nets net=09Internet=09The untrusted Internet loc=09Local=09=09My Local Network =2E.. It is important that ''bl'' be before ''net''. Assuming that your internet interface is eth0, in /etc/shorewall/interfaces net=09eth0=09norfc1918,... In /etc/shorewall/hosts: bl=09eth0:ip1,ip2,... where the ipX are subnets and/or ip addresses. If you want to put them in a=20 file (lets say /etc/shorewall/blacklist) with one entry per line, then in /etc/shorewall/params, you can put: =09BLACKLIST=3D''cat /etc/shorewall/blacklist'' =09BLACKLIST=3D''echo $BLACKLIST | sed ''s/ /,/g''` and in /etc/shorewall/hosts put: bl=09eth0:$BLACKLIST In /etc/shorewall/policy bl=09all=09DROP That''s it! All packets from the blacklisted hosts will be dropped. If one of you that has a need for a black list would try the above and let us=20 know how it works, the rest of us would appreciate it. Thanks, -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
Couldn''t you also create a rule and blacklist hosts from certain services? Charles -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep Sent: Monday, January 07, 2002 1:15 PM To: Shorewall Users Subject: [Shorewall-users] Blacklist As it turns out, I don''t think that it is necessary for Shorewall to have explicit blacklist support since it can be implemented nicely already. Whatever I did in the firewall script would just add code to duplicate much of the following: In /etc/shorewall/zones: bl Blacklist List of black-listed hosts/nets net Internet The untrusted Internet loc Local My Local Network ... It is important that ''bl'' be before ''net''. Assuming that your internet interface is eth0, in /etc/shorewall/interfaces net eth0 norfc1918,... In /etc/shorewall/hosts: bl eth0:ip1,ip2,... where the ipX are subnets and/or ip addresses. If you want to put them in a file (lets say /etc/shorewall/blacklist) with one entry per line, then in /etc/shorewall/params, you can put: BLACKLIST=''cat /etc/shorewall/blacklist'' BLACKLIST=''echo $BLACKLIST | sed ''s/ /,/g''` and in /etc/shorewall/hosts put: bl eth0:$BLACKLIST In /etc/shorewall/policy bl all DROP That''s it! All packets from the blacklisted hosts will be dropped. If one of you that has a need for a black list would try the above and let us know how it works, the rest of us would appreciate it. Thanks, -Tom -- Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ------------------------------------------- _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
On Monday 07 January 2002 01:27 pm, Charles J. Boening wrote:> Couldn''t you also create a rule and blacklist hosts from certain > services? >Sure --=20 -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
On Mon, 7 Jan 2002, Tom Eastep wrote:> As it turns out, I don''t think that it is necessary for Shorewall to have > explicit blacklist support since it can be implemented nicely already.I agree.> In /etc/shorewall/hosts: > > bl eth0:ip1,ip2,...This doesn''t work in my setup (1.2.0), eth0:ip1,eth0:ip2,... does however...> BLACKLIST=''cat /etc/shorewall/blacklist'' > BLACKLIST=''echo $BLACKLIST | sed ''s/ /,/g''`Ah, this is great, just what i needed! Thanks, Pieter. -- Pas op de muonen!
On Mon, 7 Jan 2002, Tom Eastep wrote:> On Monday 07 January 2002 01:27 pm, Charles J. Boening wrote: > > Couldn''t you also create a rule and blacklist hosts from certain > > services? > > > > Sure -- > > -Tom >Just use Tom''s method for blacklisting, it''s pretty general... Bye, Pieter. -- Pas op de muonen!
On Monday 07 January 2002 01:39 pm, Pieter Ennes wrote:> On Mon, 7 Jan 2002, Tom Eastep wrote: > > As it turns out, I don''t think that it is necessary for Shorewall to have > > explicit blacklist support since it can be implemented nicely already=2E > > I agree. > > > In /etc/shorewall/hosts: > > > > bl=09eth0:ip1,ip2,... > > This doesn''t work in my setup (1.2.0), eth0:ip1,eth0:ip2,... does > however... > > > =09BLACKLIST=3D''cat /etc/shorewall/blacklist'' > > =09BLACKLIST=3D''echo $BLACKLIST | sed ''s/ /,/g''` > > Ah, this is great, just what i needed! >Good -- if you still just want to list the ip addresses in your blacklist=20 file, something like this should work: =09BLACKLIST=3D`cat /etc/shorewall/blacklist` =09BLASKLIST=3Decho "eth0:$BLACKLIST" | sed `s/ /,eth0:/g''` -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
On Monday 07 January 2002 01:53 pm, Tom Eastep wrote:> > =09BLACKLIST=3D`cat /etc/shorewall/blacklist` > =09BLASKLIST=3Decho "eth0:$BLACKLIST" | sed `s/ /,eth0:/g''`Actual commands are: =09BLACKLIST=3D`cat /etc/shorewall/blacklist` =09BLACKLIST=3D`echo eth0:$BLACKLIST | sed ''s/ /,eth0:/g''`=20 -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
Thanks for what seems to be a very good firewall. I installed it last night on my home router system, and even though I haven''t really tweaked it yet, every ''net based port scan I threw at, it like those at http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2, couldn''t even tell I was there (and this was with me initiating the scans from a masq''d host behind the firewall). A feature I''d like to see would be a command that would immediately add or remove an ip or hostname to the blacklist and refresh the firewall. Maybe something like "shorewall blacklist 12.34.56.78 on" to add and "shorewall blacklist 12.34.56.78 off" to remove. Just an idea. Thanks, Jim Hubbard
Put this in a script called: add2bl cat $1 >> /etc/shorewall/blacklist;/etc/shorewall/firewall refresh Then call it like this: add2bl ip.add.ress.here Could also call the script from other monitoring progs like snort or prelude Charles -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Jim Hubbard Sent: Wednesday, January 09, 2002 7:09 AM To: shorewall-users@shorewall.net Subject: [Shorewall-users] Blacklist Thanks for what seems to be a very good firewall. I installed it last night on my home router system, and even though I haven''t really tweaked it yet, every ''net based port scan I threw at, it like those at http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2, couldn''t even tell I was there (and this was with me initiating the scans from a masq''d host behind the firewall). A feature I''d like to see would be a command that would immediately add or remove an ip or hostname to the blacklist and refresh the firewall. Maybe something like "shorewall blacklist 12.34.56.78 on" to add and "shorewall blacklist 12.34.56.78 off" to remove. Just an idea. Thanks, Jim Hubbard _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users