Hello, I''m a very happy user of shorewall but I have found a problem or maybe a misconfiguration I made which I can not resolve. I use a fairly large blacklist based on probes, nimda & codered attacks, proxy & relay probes etc. The only problem is that I want to block incoming trafic on all ports FROM a block but it does also block a httpd, ping etc TO a ip in a block what I do not want. For example today I got a CodeRed probe on my apache server from an infected Korean IT consultancy agency (duh!) 152.149.234.33 - - [08/Jan/2003:17:23:24 +0100] "GET /default.ida?NNNNNNNNNN On http://logi.cc/nw/NetCalc.php3 I calculate the IP netblock from a whois and put it in /etc/shorewall/blacklist with a little information. # inetnum: 152.149.0.0 - 152.149.255.255 # netname: DAEWOO-KR # descr: Daewoo Information Systems Co., Ltd. # descr: ADMIN : CodeRed infected, and you are providing IT professionals? # country: KR 152.149.0.0/16 But in the same block is an website I can not look at? My full blacklist is available at http://www.bromberg.demon.nl/iisbug/blacklist I do not do IP adresses because of dial-up pools, some to friendly IPS''s and countries where IT technology is not just for geeks but seems available for every one.. /etc/shorewall/interfaces -------------- net eth0 62.163.xx.255 blacklist loc eth1 10.10.10.255 Groetjes / greetings J.M. Althoff -- email : m.althoff@althoffcentral.com / scouty@bromberg.demon.nl althoffcentral : http://www.althoffcentral.com / scouting : http://www.cycloongroep.nl ------------------------------------------------------------ This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. We enforce a strict spam and virus policy, for further information read http://www.althoffcentral.com/policy ------------------------------------------------------------
On 8 Jan 2003 at 23:12, J.M. Althoff wrote:> But in the same block is an website I can not look at? My full > blacklist is available athttp://www.bromberg.demon.nl/iisbug/blacklist> I do not do IP adresses because of dial-up pools, some to friendly > IPS''s and countries where IT technology is not just for geeks but > seems available for every one..Blacklist means blacklist, and nothing is allowed to arrive from a blacklisted ip range. If you want to visit some sites in the block, the best solution is to slit your blacklist entry into two blocks on either side of the desirable ip address(s). I wish it were possible to blacklist by protocol but as of now its not. After Tom has some rest we might suggest it as an addition. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
Martinez, Mike (MHS-ACS)
2003-Jan-08 15:00 UTC
[Shorewall-users] Shorewall blacklist does all
FYI Shorewall does support blacklisting by protocol..... From: http://www.shorewall.net/blacklisting_support.htm "Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service names in the blacklist file." and from: http://www.shorewall.net/Documentation.htm#Blacklist "Beginning with Shorewall 1.3.8, the blacklist file has three columns:" ADDRESS/SUBNET - As described above. PROTOCOL - Optional. If specified, only packets specifying this protocol will be blocked. PORTS - Optional; may only be given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated list of port numbers or service names (from /etc/services). If present, only packets destined for the specified protocol and one of the listed ports are blocked. When the PROTOCOL is icmp, the PORTS column contains a comma-separated list of ICMP type numbers or names (see "iptables -h icmp"). Mike -----Original Message----- From: John S. Andersen [mailto:jsa@norcomix.dyndns.org] Sent: Wednesday, January 08, 2003 4:52 PM To: J.M. Althoff; shorewall-users@shorewall.net Subject: Re: [Shorewall-users] Shorewall blacklist does all On 8 Jan 2003 at 23:12, J.M. Althoff wrote:> But in the same block is an website I can not look at? My full > blacklist is available athttp://www.bromberg.demon.nl/iisbug/blacklist> I do not do IP adresses because of dial-up pools, some to friendly > IPS''s and countries where IT technology is not just for geeks but > seems available for every one..Blacklist means blacklist, and nothing is allowed to arrive from a blacklisted ip range. If you want to visit some sites in the block, the best solution is to slit your blacklist entry into two blocks on either side of the desirable ip address(s). I wish it were possible to blacklist by protocol but as of now its not. After Tom has some rest we might suggest it as an addition. ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/ _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://mail.shorewall.net/mailman/listinfo/shorewall-users
Drat, Late to class again!!! ;-) This package is always one step ahead of me. I''m running version 1.3.10 but I totally missed that addition in 1.3.8. I''ve got most of Korea blacklisted due to spammers. (Spam I can read is bad enough, but spam I can''t even display is totally pointless). On 8 Jan 2003 at 17:01, Martinez, Mike (MHS-ACS) wrote:> FYI > > Shorewall does support blacklisting by protocol..... > > From: http://www.shorewall.net/blacklisting_support.htm > "Beginning with Shorewall version 1.3.8, you may also specifyPROTOCOL and> Port numbers/Service names in the blacklist file." > > and from: http://www.shorewall.net/Documentation.htm#Blacklist > > "Beginning with Shorewall 1.3.8, the blacklist file has threecolumns:"> > > ADDRESS/SUBNET - As described above. > PROTOCOL - Optional. If specified, only packets specifying thisprotocol> will be blocked. > PORTS - Optional; may only be given if PROTOCOL is tcp, udp oricmp.> Expressed as a comma-separated list of port numbers or servicenames (from> /etc/services). If present, only packets destined for the specifiedprotocol> and one of the listed ports are blocked. When the PROTOCOL is icmp,the> PORTS column contains a comma-separated list of ICMP type numbersor names> (see "iptables -h icmp"). > > > Mike > > > -----Original Message----- > From: John S. Andersen [mailto:jsa@norcomix.dyndns.org] > Sent: Wednesday, January 08, 2003 4:52 PM > To: J.M. Althoff; shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] Shorewall blacklist does all > > > On 8 Jan 2003 at 23:12, J.M. Althoff wrote: > > > > But in the same block is an website I can not look at? My full > > blacklist is available at > http://www.bromberg.demon.nl/iisbug/blacklist > > > I do not do IP adresses because of dial-up pools, some tofriendly> > IPS''s and countries where IT technology is not just for geeks but > > seems available for every one.. > > Blacklist means blacklist, and nothing is allowed > to arrive from a blacklisted ip range. > > If you want to visit some sites in the block, the best > solution is to slit your blacklist entry into two blocks > on either side of the desirable ip address(s). > > I wish it were possible to blacklist by protocol but > as of now its not. After Tom has some rest we > might suggest it as an addition. > > ______________________________________ > John Andersen > NORCOM / Juneau, Alaska > http://www.screenio.com/ > (907) 790-3386_______________________________________ > John S. Andersen > NORCOM mailto:JAndersen@norcomsoftware.com > Juneau, Alaska > http://www.screenio.com/ > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://mail.shorewall.net/mailman/listinfo/shorewall-users >______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386_______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/