I''ve done some experimentation with the technique that I proposed earlier=2E=20 While it certainly works, it exposes a weakness in Shorewall in that zones=20 with a large number of explicitly-specified hosts result in the INPUT,=20 multi2fw and FORWARD chains being very long :-( While this is a problem that I would like to correct, it probably won''t=20 happen until 1.3 at the earliest since it will require a fundimental=20 rethinking of the iptables structure. So I''ve relented on the question of=20 explicit Blacklist support in Shorewall which I prpopse to release as follows: In /etc/shorewall/shorewall.conf: =09BLACKLIST_DISPOSITION=3D{DROP|REJECT} =09Specifies how you want blacklisted hosts treated. =09BLACKLIST_LOGLEVEL=3D[ <level> ] =09Specifies the level (if any) that you want blacklisted packets logged at. =09Beware potential DOS attacks if you set this. In /etc/shorewall/interfaces=09 =09A new ''blacklist'' option which causes packets arriving on this interface to =09be checked against the black list /etc/shorewall/blacklist =09A list of hosts/subnets that you want to black list Comments? -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------
On Mon, 7 Jan 2002, Tom Eastep wrote: Hi Tom,> I''ve done some experimentation with the technique that I proposed earlier. > While it certainly works, it exposes a weakness in Shorewall in that zones > with a large number of explicitly-specified hosts result in the INPUT, > multi2fw and FORWARD chains being very long :-(And this is bad? For speed?> While this is a problem that I would like to correct, it probably won''t > happen until 1.3 at the earliest since it will require a fundimental > rethinking of the iptables structure. So I''ve relented on the question of > explicit Blacklist support in Shorewall which I prpopse to release as follows: > > In /etc/shorewall/shorewall.conf: > > BLACKLIST_DISPOSITION={DROP|REJECT} > > Specifies how you want blacklisted hosts treated. > > BLACKLIST_LOGLEVEL=[ <level> ] > > Specifies the level (if any) that you want blacklisted packets logged at. > Beware potential DOS attacks if you set this. > > In /etc/shorewall/interfaces > > A new ''blacklist'' option which causes packets arriving on this interface to > be checked against the black list > > /etc/shorewall/blacklist > > A list of hosts/subnets that you want to black listAm i correct if the blacklisted hosts are now just all on one seperate chain, and not the INPUT and FORWARD chains anymore? Bye, Pieter. -- Pas op de muonen!
On Monday 07 January 2002 11:33 pm, Pieter Ennes wrote:> > with a large number of explicitly-specified hosts result in > > the INPUT, multi2fw and FORWARD chains being very long :-( > > And this is bad? For speed?Yes. Plus a lot of traffic that isn''t involved with the internet interface=20 has to pass through those rules.> > Am i correct if the blacklisted hosts are now just all on one seperate > chain, and not the INPUT and FORWARD chains anymore?Yes -- here''s what it looks like: [root@gateway shorewall]# shorewall show INPUT Shorewall-1.2.1 Chain INPUT at gateway.shorewall.net - Tue Jan 8 06:01:19=20 PST 2002 Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source =20 destination 0 0 logpkt all -- eth0 * 0.0.0.0/0 0.0.0=2E0/0=20 unclean 20056 13M rfc1918 all -- eth0 * 0.0.0.0/0 0.0.0=2E0/0 20056 13M blacklst all -- eth0 * 0.0.0.0/0 0.0.0=2E0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0=2E0/0 3 1232 ACCEPT udp -- eth2 * 0.0.0.0/0 0.0.0=2E0/0=20 udp dpts:67:68 0 0 multi2fw all -- ppp+ * 0.0.0.0/0 0.0.0=2E0/0 20053 13M net2fw all -- eth0 * 0.0.0.0/0 0.0.0=2E0/0 44348 2461K loc2fw all -- eth2 * 192.168.1.0/24 0.0.0=2E0/0 15 2735 dmz2fw all -- eth1 * 0.0.0.0/0 0.0.0=2E0/0 105 8820 tx2fw all -- texas * 192.168.9.0/24 0.0.0=2E0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0=2E0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0=2E0/0=20 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0=2E0/0 [root@gateway shorewall]# shorewall show blacklst Shorewall-1.2.1 Chain blacklst at gateway.shorewall.net - Tue Jan 8 06:01:24=20 PST 2002 Chain blacklst (2 references) pkts bytes target prot opt in out source =20 destination 0 0 DROP all -- * * 62.64.157.230 0.0.0=2E0/0 15 420 DROP all -- * * 206.124.146.174 0.0.0=2E0/0 0 0 DROP all -- * * 208.13.134.210 0.0.0=2E0/0 0 0 DROP all -- * * 209.67.231.231 0.0.0=2E0/0 0 0 DROP all -- * * 213.68.102.251 0.0.0=2E0/0 [root@gateway shorewall]# There''s a similar entry in the FORWARD chain for eth0 (I won''t show the whole=20 chain): Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source =20 destination 2 116 logpkt all -- eth0 * 0.0.0.0/0 0.0.0=2E0/0=20 unclean 62167 5187K rfc1918 all -- eth0 * 0.0.0.0/0 0.0.0=2E0/0 62167 5187K blacklst all -- eth0 * 0.0.0.0/0 0.0.0=2E0/0 7571 580K net2loc all -- eth0 eth2 0.0.0.0/0 =20 192.168.1.0/24 =2E.. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net -------------------------------------------