Hello, Pardon me if this turns out to be stupid question. I have an IP address blacklisted in /etc/shorewall/blacklist. I have BLACKLIS_LOGLEVEL not set in /etc/shorewall/shorewall.conf, but I can still see the packages coming from the blacklisted IP logged in /var/log/messages when I do ''tail -f /var/log/messages''. Is there someplace else I should check ? Thanks. RDB -- Reuben D. Budiardja Dept. Physics and Astronomy University of Tennesse, Knoxville, TN
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reuben D. Budiardja wrote:> Hello, > Pardon me if this turns out to be stupid question. > I have an IP address blacklisted in /etc/shorewall/blacklist. I have > BLACKLIS_LOGLEVEL not set in /etc/shorewall/shorewall.conf, but I canstill> see the packages coming from the blacklisted IP logged in/var/log/messages> when I do ''tail -f /var/log/messages''.Please: a) Show us one of these messages. b) forward the output of "shorewall show blacklst" - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBa+OvO/MAbZfjDLIRAhh0AJ9u0Frz2i7PPfcMtz5kyVmg0tG3XwCcCDm9 C4azmwmyYVK2/Pb66IXiwmM=s6aB -----END PGP SIGNATURE-----
On Tuesday 12 October 2004 10:01, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Reuben D. Budiardja wrote: > > Hello, > > Pardon me if this turns out to be stupid question. > > I have an IP address blacklisted in /etc/shorewall/blacklist. I have > > BLACKLIS_LOGLEVEL not set in /etc/shorewall/shorewall.conf, but I can > > still > > > see the packages coming from the blacklisted IP logged in > > /var/log/messages > > > when I do ''tail -f /var/log/messages''. > > Please:Hm... it seems that there''s more problem. Apparently the address listed in my /etc/shorewall/blacklist somehow are still not blacklisted. As a test, I put the address of my other workstation there, and doing nmap I can still see which ports are open on the machine w/ shorewall installed. Here is my blacklist file (anticipating that the list may not accept attachment): http://voyager.phys.utk.edu/tmp/shorewal_blacklist.txt> a) Show us one of these messages.Oct 12 10:09:40 pathfinder kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:0d:61:5e:22:38:00:d0:79:91:27:fc:08:00 SRC=160.36.188.135 DST=160.36.28.83 LEN=48 TOS=0x00 PREC=0x00 TTL=62 ID=60788 DF PROTO=TCP SPT=36096 DPT=32441 WINDOW=24820 RES=0x00 SYN URGP=0> b) forward the output of "shorewall show blacklst". ^^^^^^ is that typo? anyway, : #> shorewall show blacklist Shorewall-2.0.3 Chain blacklist at pathfinder.phys.utk.edu - Tue Oct 12 10:14:43 EDT 2004 Counters reset Tue Oct 12 10:06:20 EDT 2004 iptables: Table does not exist (do you need to insmod?) #> shorewall show blacklst Shorewall-2.0.3 Chain blacklst at pathfinder.phys.utk.edu - Tue Oct 12 10:14:53 EDT 2004 Counters reset Tue Oct 12 10:06:20 EDT 2004 iptables: Table does not exist (do you need to insmod?) And my shorewall version: ]# rpm -q shorewall shorewall-2.0.3-1 Thanks for the help. RDB -- Reuben D. Budiardja Dept. Physics and Astronomy University of Tennesse, Knoxville, TN
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reuben D. Budiardja wrote:> >>a) Show us one of these messages. > > > Oct 12 10:09:40 pathfinder kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:0d:61:5e:22:38:00:d0:79:91:27:fc:08:00 SRC=160.36.188.135 > DST=160.36.28.83 LEN=48 TOS=0x00 PREC=0x00 TTL=62 ID=60788 DF PROTO=TCP > SPT=36096 DPT=32441 WINDOW=24820 RES=0x00 SYN URGP=0That''s not being logged because of blacklisting -- it is being logged because the packet is being dropped by the ''net->all DROP'' policy (see Shorewall FAQ 17).> > >>b) forward the output of "shorewall show blacklst" > > .^^^^^^ is> that typo? anyway, :No, that was NOT a typo> > #> shorewall show blacklist > Shorewall-2.0.3 Chain blacklist at pathfinder.phys.utk.edu - Tue Oct 12 > 10:14:43 EDT 2004 > > Counters reset Tue Oct 12 10:06:20 EDT 2004 > > iptables: Table does not exist (do you need to insmod?) > > #> shorewall show blacklst > Shorewall-2.0.3 Chain blacklst at pathfinder.phys.utk.edu - Tue Oct 12 > 10:14:53 EDT 2004 > > Counters reset Tue Oct 12 10:06:20 EDT 2004 > > iptables: Table does not exist (do you need to insmod?) >Now set the ''blacklist'' option on your external interface (eth0) in /etc/shorewall/interfaces and restart Shorewall -- it will work much better. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBa+jvO/MAbZfjDLIRAuoiAKCPEwPrPhSMu16nF1LySnTUXjF5IwCgpiU+ 05NejPylLi96MDi9ehEVaLA=nYaN -----END PGP SIGNATURE-----
On Tuesday 12 October 2004 10:23, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Reuben D. Budiardja wrote: > >>a) Show us one of these messages. > >> That''s not being logged because of blacklisting -- it is being logged > because the packet is being dropped by the ''net->all DROP'' policy (see > Shorewall FAQ 17).I know that it''s logged because of that policy. I wanted to avoid the ''logging'', that''s why I put it in the blacklist file. I thought that should ''overwrite'' the logging conf. for the policy, maybe I misunderstood.> Now set the ''blacklist'' option on your external interface (eth0) in > /etc/shorewall/interfaces and restart Shorewall -- it will work much > better.Ah yes. This is what I want. Thanks a lot. RDB -- Reuben D. Budiardja Dept. Physics and Astronomy University of Tennesse, Knoxville, TN -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/M/MU/P/S d-(++) s: a-- C++(+++) UL++++ P-- L+++>++++ E- W+++ N+ o? K- w--- !O M- V? !PS !PE Y PGP- t+ 5 X R- tv+ b++>+++ DI D(+) G e++>++++ h+(*) r++ y->++++ ------END GEEK CODE BLOCK------