Shorewall users - Jan 2002 - Blacklisting, Round #2

I''ve done some experimentation with the technique that I proposed
earlier=2E=20
While it certainly works, it exposes a weakness in Shorewall in that zones=20
with a large number of explicitly-specified hosts result in the INPUT,=20
multi2fw and FORWARD chains being very long :-(

While this is a problem that I would like to correct, it probably
won''t=20
happen until 1.3 at the earliest since it will require a fundimental=20
rethinking of the iptables structure. So I''ve relented on the question
of=20
explicit Blacklist support in Shorewall which I prpopse to release as follows:

In /etc/shorewall/shorewall.conf:

=09BLACKLIST_DISPOSITION=3D{DROP|REJECT}

=09Specifies how you want blacklisted hosts treated.

=09BLACKLIST_LOGLEVEL=3D[ <level> ]

=09Specifies the level (if any) that you want blacklisted packets logged at.
=09Beware potential DOS attacks if you set this.

In /etc/shorewall/interfaces=09

=09A new ''blacklist'' option which causes packets arriving on
this interface to
 =09be checked against the black list

/etc/shorewall/blacklist

=09A list of hosts/subnets that you want to black list

Comments?

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------

On Mon, 7 Jan 2002, Tom Eastep wrote:

Hi Tom,
> I''ve done some experimentation with the technique that I proposed
earlier.
> While it certainly works, it exposes a weakness in Shorewall in that zones
> with a large number of explicitly-specified hosts result in the INPUT,
> multi2fw and FORWARD chains being very long :-(
And this is bad? For speed?
> While this is a problem that I would like to correct, it probably
won''t
> happen until 1.3 at the earliest since it will require a fundimental
> rethinking of the iptables structure. So I''ve relented on the
question of
> explicit Blacklist support in Shorewall which I prpopse to release as
follows:
>
> In /etc/shorewall/shorewall.conf:
>
> 	BLACKLIST_DISPOSITION={DROP|REJECT}
>
> 	Specifies how you want blacklisted hosts treated.
>
> 	BLACKLIST_LOGLEVEL=[ <level> ]
>
> 	Specifies the level (if any) that you want blacklisted packets logged at.
> 	Beware potential DOS attacks if you set this.
>
> In /etc/shorewall/interfaces
>
> 	A new ''blacklist'' option which causes packets arriving
on this interface to
>  	be checked against the black list
>
> /etc/shorewall/blacklist
>
> 	A list of hosts/subnets that you want to black list
Am i correct if the blacklisted hosts are now just all on one seperate
chain, and not the INPUT and FORWARD chains anymore?

Bye, Pieter.

-- 
 Pas op de muonen!

On Monday 07 January 2002 11:33 pm, Pieter Ennes wrote:
> > with a large number of explicitly-specified hosts result in
> > the INPUT, multi2fw and FORWARD chains being very long :-(
>
> And this is bad? For speed?
Yes. Plus a lot of traffic that isn''t involved with the internet
interface=20
has to pass through those rules.
>
> Am i correct if the blacklisted hosts are now just all on one seperate
> chain, and not the INPUT and FORWARD chains anymore?
Yes -- here''s what it looks like:

[root@gateway shorewall]# shorewall show INPUT
Shorewall-1.2.1 Chain INPUT at gateway.shorewall.net - Tue Jan  8 06:01:19=20
PST 2002

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              =20
destination
    0     0 logpkt     all  --  eth0   *       0.0.0.0/0           
0.0.0=2E0/0=20
         unclean
20056   13M rfc1918    all  --  eth0   *       0.0.0.0/0            0.0.0=2E0/0
20056   13M blacklst   all  --  eth0   *       0.0.0.0/0            0.0.0=2E0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0=2E0/0
    3  1232 ACCEPT     udp  --  eth2   *       0.0.0.0/0           
0.0.0=2E0/0=20
         udp dpts:67:68
    0     0 multi2fw   all  --  ppp+   *       0.0.0.0/0            0.0.0=2E0/0
20053   13M net2fw     all  --  eth0   *       0.0.0.0/0            0.0.0=2E0/0
44348 2461K loc2fw     all  --  eth2   *       192.168.1.0/24       0.0.0=2E0/0
   15  2735 dmz2fw     all  --  eth1   *       0.0.0.0/0            0.0.0=2E0/0
  105  8820 tx2fw      all  --  texas  *       192.168.9.0/24       0.0.0=2E0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0=2E0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0           
0.0.0=2E0/0=20
         LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:''
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0=2E0/0

[root@gateway shorewall]# shorewall show blacklst
Shorewall-1.2.1 Chain blacklst at gateway.shorewall.net - Tue Jan  8 06:01:24=20
PST 2002

Chain blacklst (2 references)
 pkts bytes target     prot opt in     out     source              =20
destination
    0     0 DROP       all  --  *      *       62.64.157.230        0.0.0=2E0/0
   15   420 DROP       all  --  *      *       206.124.146.174      0.0.0=2E0/0
    0     0 DROP       all  --  *      *       208.13.134.210       0.0.0=2E0/0
    0     0 DROP       all  --  *      *       209.67.231.231       0.0.0=2E0/0
    0     0 DROP       all  --  *      *       213.68.102.251       0.0.0=2E0/0
[root@gateway shorewall]#

There''s a similar entry in the FORWARD chain for eth0 (I won''t
show the whole=20
chain):

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              =20
destination
    2   116 logpkt     all  --  eth0   *       0.0.0.0/0           
0.0.0=2E0/0=20
         unclean
62167 5187K rfc1918    all  --  eth0   *       0.0.0.0/0            0.0.0=2E0/0
62167 5187K blacklst   all  --  eth0   *       0.0.0.0/0            0.0.0=2E0/0
 7571  580K net2loc    all  --  eth0   eth2    0.0.0.0/0           =20
192.168.1.0/24
=2E..

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------