I have read an interesting solution to apply a drop list from spamcop. See: http://www.cyberciti.biz/tips/block-spamming-scanning-with-iptables.html I understand that I can run ''shorewall drop'' for each listed ip/network... ... or I can create a formated file that can be included at params configuration and then dropped with a two rules (like the script). Do you see another way to do this log+drop form the spamcop list that would be at the shorewall''s way? Regards, Rodolfo ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
I am doing something similar (Wrote an perk own daemon) going through the ulog-mysql output of the shorewall logs. this one will then add dynamically all IP''s using /sbin/shorewall drop <IP> when it comes in. I can send you the script if you want to for having a look to it. Should be possible to adapt it. Maybe I''ll do something like that in the future - as soon as I fixed my firewall ;) Messed with some libraries - openssl does not work anymore (openvpn). <quote who="Rodolfo Pilas">> I have read an interesting solution to apply a drop list from spamcop. > > See: > http://www.cyberciti.biz/tips/block-spamming-scanning-with-iptables.html > > I understand that I can run ''shorewall drop'' for each listed ip/network... > > ... or I can create a formated file that can be included at params > configuration and then dropped with a two rules (like the script). > > Do you see another way to do this log+drop form the spamcop list that > would be at the shorewall''s way? > > Regards, > Rodolfo > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
You might want to have a look at these packages too, they can do similar things I believe. I haven''t had the time to give them a try yet, unfortunately. Ossec http://www.ossec.net/ BlockHosts http://www.aczoom.com/cms/blockhosts Cheers, Sander ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Wed, Oct 24, 2007 at 07:52:00AM -0200, Rodolfo Pilas wrote:> Do you see another way to do this log+drop form the spamcop list that > would be at the shorewall''s way?I would strongly recommend doing this with the routing table (insert a null route for each entry), not with shorewall/iptables. Netfilter is extremely slow compared to routing, when large numbers of host masks are involved. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
<quote who="Andrew Suffield">> On Wed, Oct 24, 2007 at 07:52:00AM -0200, Rodolfo Pilas wrote: >> Do you see another way to do this log+drop form the spamcop list that >> would be at the shorewall''s way? > > I would strongly recommend doing this with the routing table (insert a > null route for each entry), not with shorewall/iptables. Netfilter is > extremely slow compared to routing, when large numbers of host masks > are involved.I did that already in the beginning ... However - the boot process took quite long to entere 2000 reject-routes (that is what you mean - no ? add route host xxx.xxx.xxx.xxx reject while with the shorewall stuff - I use a delayed inserting after boot up. I admit - it takes 5 Minutes for the 2 minutes - however enables me to use ther network right after boot-up. Cheers Joerg -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On 10/24/07, Joerg Mertin <smurphy@solsys.org> wrote:> I did that already in the beginning ... > However - the boot process took quite long to entere 2000 reject-routes > (that is what you mean - no ? > add route host xxx.xxx.xxx.xxx rejectIf you have the ability to recompile the kernel I do believe that IPsets are the solution you require. They''re fast to insert, fast to scan through. And shorewall supports IPsets well. Prasanna -- www.elinanetworks.com Seamless, secure delivery of applications. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/