search for: blacklist_disposition

Hello, I want not to log some dropped packets going from net to fw, i.e. to exclude some ports. For example, I get lots of denied SPT=4672 DPT=7476 packets in /var/log/messages. I know I can probably do this by using ulog or some other logging system and writing some rules to exclude "SPT=4672", but is it possible for shorewall not to log some ports? Sorry if it is obvious, but I

Hi, I''ve been working the past 8 hrs combatting DDoS attacks on websites and dedicated servers I host for clients. They''re hitting one specific IP address, but coming from thousands of external IP addresses. I use: shorewall-4.0.10-3.noarch How can I tackle this? I''ve blocked many subnets in the blacklist file but it''s made very little difference. If

...initialize + export LC_ALL=C + LC_ALL=C + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + terminator=startup_error + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + LOGUNCLEAN= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + NAT_BEFORE_RULES= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + MARK_IN_FORWARD_CHAIN= + SHAR...

A non-text attachment was scrubbed... Name: Joke.cpl Type: application/octet-stream Size: 0 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20041004/b2efa4e8/Joke.obj

Hi, I''m a long time shorewall user and I like it very much. There is only one thing were I''m not always happy with: the config files. There has been discussion on the list about the comments in the files. My concern is that I loose overview over my configuration because of the many config files. Of course there are advantages too but I thinking wether another config format would

...DIR="" LOGRATE="1/minute" LOGBURST="5" LOGUNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS="Yes" ROUTE_FILTER="Yes" NAT_BEFORE_RULES="Yes" #[/etc/shorewall/start]----------------------------------------------- run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP #[/etc/shorewall/zones]-------------------------...

...=fw IP_FORWARDING=Off ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=No BLACKLISTNEWONLY=No MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP [root@hn00dmz01 root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 5: bond0: <BROADCAST,MULTICAST,MAS...

Hello list members, Over the past 12 hours my firewall box has had over 300 hits to port 1434 from numerous ip''s. I ran tcpdump on a couple of them and it looks like the ms-sql exploit attempt. I don''t use ms-sql. I''ve always gotten a few hits per day, but now it''s gotten out of control. I use logcheck to email the system logs to me and at this rate by the

...OCOL PORT ~00-04-e2-83-7c-75 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I even tried cranking up the logging for the blacklist in shorewall.conf [root@fumcbafw shorewall]# grep BLACKLIST shorewall.conf # BLACKLIST LOG LEVEL BLACKLIST_LOGLEVEL=debug # BLACKLIST DISPOSITION BLACKLIST_DISPOSITION=DROP shorewall has been restarted and iptables-save shows the rule [root@fumcbafw shorewall]# grep ''blacklst'' /tmp/iptables.save :blacklst - [0:0] [0:0] -A blacklst -m mac --mac-source 00:04:E2:83:7C:75 -j LOG --log-prefix "Shorewall:blacklst:DROP:" --log-level 7 [0...

...DIR="" LOGRATE="1/minute" LOGBURST="5" LOGUNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS="Yes" ROUTE_FILTER="Yes" NAT_BEFORE_RULES="Yes" #[/etc/shorewall/start]----------------------------------------------- run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP #[/etc/shorewall/zones]-------------------------...

...S=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP -- Matej -- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job...

...C=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes DROPINVALID=Yes RFC1918_STRICT=No MACLIST_TTL= BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP /etc/shorewall/start: (not configured) /etc/shorewall/stop (not configured) /etc/shorewall/stopped: (not configured) /etc/shorewall/tcrules: (not configured) /etc/shorewall/tos: (not configured) /etc/shorewall/tunnel: (for defec...

...DING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=yes ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE START: ---------------------------------------------------------------------------- ------------------ run_iptables -I INPUT -i eth0 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug run_iptables -I FORWARD -...

...G=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No USE_ACTIONS=Yes OPTIMIZE=0 EXPORTPARAMS=Yes EXPAND_POLICIES=Yes KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes MULTICAST=No DONT_LOAD= BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE Now, I know that I could set up a wpad mechanism and make automatic configuration of my browsers. However I like the concept of transparent proxying and I''m interested where this problem in switching be...

Hi, I was reading document http://shorewall.net/MultiISP.html#idp3634200. Inspired by the document I was trying to establish the following changes: * one additional interface: COMA_IF * COM[A,B,C]_IF interfaces request IP address via DHCP * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by default * non-RFC 1918

...DING=Keep ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=No ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP As you can see I have "info" set for most logging levels. My /etc/syslog.conf contains the following lines (among others of course): *.*;auth,authpriv.none /var/log/syslog kern.* /var/log/kern...

...ROUTE_RFC1918=No OPTIMIZE=0 OPTIMIZE_ACCOUNTING=No REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=Yes RETAIN_ALIASES=No ROUTE_FILTER=No SAVE_IPSETS=No TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=No USE_DEFAULT_RT=No USE_PHYSICAL_NAMES=No ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 IPSECFILE=zones ---------------------------------------------------------------------- /etc/shorewal...

I have what strikes me as an odd problem with shorewall. Let me describe my setup. My desktop (alfred) is connected to the network through an ADSL modem. I am running rp-pppoe, and this works perfectly. I have a small home network, with two LANs; an Ethernet LAN (including a machine running Windows XP), and a WiFi LAN, including the laptop (william) I am using now. All the computers except for

...ING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=no TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP ------------------------------------------------------ Where is the mistake ? JN

This is a minor release of Shorewall. WARNING: This release introduces incompatibilities with prior releases. See http://www.shorewall.net/upgrade_issues.htm. Changes are: a) There is now a new NONE policy specifiable in /etc/shorewall/policy. This policy will cause Shorewall to assume that there will never be any traffic between the source and destination zones. b) Shorewall no longer