Hi! I''m running a firewall with a rather large blacklist. My problem is that when I do some changes, or for some other reason, have to restart Shorewall it takes ages . Waiting for 15-20 mins for the firewall to start letting through packets again is causing some problems. So what I would like to see is the ability for Shorewall to load the blacklist after everything else. I can live with letting black listed machines through during the 20 minutes it takes for the list to load. I realise that some people probably want the original behaviour so this would be best as a configurable option. I also looked through the archives for discussions about host groups. This is a feature I''d very much like to see in future versions of Shorewall. I know you can get a similar effect with host zones, but groups would give much cleaner and readable configurations. Groups is something that is present in many other firewalls so it is a concept people are used to and, to some extent, expect to be present. Is this on the todo list or have you decided against it? Regards Pierre Ossman
Pierre Ossman wrote:> Hi! > > I''m running a firewall with a rather large blacklist. My > problem is that when I do some changes, or for some other > reason, have to restart Shorewall it takes ages . Waiting > for 15-20 mins for the firewall to start letting through > packets again is causing some problems. So what I would like > to see is the ability for Shorewall to load the blacklist > after everything else. I can live with letting black listed > machines through during the 20 minutes it takes for the list > to load. I realise that some people probably want the original > behaviour so this would be best as a configurable option.Maybe I''m misunderstanding your post (at least your reason for issuing a restart), but if you are _only_ making changes to your blacklist file, then run "shorewall refresh", instead of "shorewall restart". Steve Cowles
Cowles, Steve wrote:> Pierre Ossman wrote: > >>Hi! >> >>I''m running a firewall with a rather large blacklist. My >>problem is that when I do some changes, or for some other >>reason, have to restart Shorewall it takes ages . Waiting >>for 15-20 mins for the firewall to start letting through >>packets again is causing some problems. So what I would like >>to see is the ability for Shorewall to load the blacklist >>after everything else. I can live with letting black listed >>machines through during the 20 minutes it takes for the list >>to load. I realise that some people probably want the original >>behaviour so this would be best as a configurable option. > > > Maybe I''m misunderstanding your post (at least your reason for issuing a > restart), but if you are _only_ making changes to your blacklist file, then > run "shorewall refresh", instead of "shorewall restart". >Pierre: I don''t know what you are trying to accomplish with this black list but I would certainly re-evaluate your need. It is my personal opinion that such large black lists are unusable. In addition to the load time (20 minutes !!!???), any legitimate incoming connection has to be tested sequentally against every black list entry (and that''s if you have optimized using BLACKLISTNEWONLY=Yes in shorewall.conf; otherwise, every incoming PACKET has to run this gauntlet). The iptables/Netfilter tools available in current kernels from kernel.org simply do not permit efficient checking against large sets of addresses. As a consequence, I''m not adding any features to Shorewall that encourage users to create and use huge black lists. If you still wish to continue under the burden of your giant black list, what you asked can be accomplished by: a) Including an empty blacklist file in /etc/shorewall b) Having your real blacklist file in /etc/blacklist/blacklist c) Placing the following commands in /etc/shorewall/start SHOREWALL_DIR=/etc/blacklist blacklist_refresh If you update the blacklist and want to reload it, just enter this command: shorewall -c /etc/blacklist refresh -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > Pierre: > > I don''t know what you are trying to accomplish with this black list > but I would certainly re-evaluate your need. It is my personal opinion > that such large black lists are unusable. In addition to the load time > (20 minutes !!!???), any legitimate incoming connection has to be > tested sequentally against every black list entry (and that''s if you > have optimized using BLACKLISTNEWONLY=Yes in shorewall.conf; > otherwise, every incoming PACKET has to run this gauntlet). > > The iptables/Netfilter tools available in current kernels from > kernel.org simply do not permit efficient checking against large sets > of addresses. As a consequence, I''m not adding any features to > Shorewall that encourage users to create and use huge black lists. > > If you still wish to continue under the burden of your giant black > list, what you asked can be accomplished by: > > a) Including an empty blacklist file in /etc/shorewall > b) Having your real blacklist file in /etc/blacklist/blacklist > c) Placing the following commands in /etc/shorewall/start > > SHOREWALL_DIR=/etc/blacklist > blacklist_refresh > > If you update the blacklist and want to reload it, just enter this > command: > > shorewall -c /etc/blacklist refresh > > > -TomThanks for the tips. I''m not too happy about the ammount of rules either but I have yet to find a solution that is as effective (I''m using the rules to block adware/spyware, people distrupting p2p networks, etc.). BLACKLISTNEWONLY=Yes is a must. The firewall totally collapses under the load otherwise. It would be nice to see Shorewall check new connections with either source or destination in the black list since that should block most of the junk without too heavy load. As for the problems with netfilter, do you know if there is any work going on to make the kernel more effective? rgds Pierre
Pierre Ossman wrote:> > Thanks for the tips. I''m not too happy about the ammount of rules either > but I have yet to find a solution that is as effective (I''m using the > rules to block adware/spyware, people distrupting p2p networks, etc.).Have you considered proxying all internet access?> It would be nice to see Shorewall check new connections > with either source or destination in the black list since that should > block most of the junk without too heavy load.One of the nice features of open source software is that if it doesn''t work exactly as you would like, you have the source and can easily change the code to do what you want.> As for the problems with netfilter, do you know if there is any work > going on to make the kernel more effective?There are a couple of address-pool based solutions in the works but neither has made it into the standard kernels yet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net