Hi there, Is it possible to blacklist an ip but only for a specific port? shorewall drop <ip> <port> that is? Br Robert Lindgren ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Robert Lindgren wrote:> Is it possible to blacklist an ip but only for a specific port? > shorewall drop <ip> <port> that is? >No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On 3/22/08, Tom Eastep <teastep@shorewall.net> wrote:> Robert Lindgren wrote: > > > Is it possible to blacklist an ip but only for a specific port? > > shorewall drop <ip> <port> that is? > > > > > No. > > -TomThanks Tom, Are there any plans adding such a feature? The reason for such a feature is that I want to block a specific ip from a specific port, lets say 22 since there has been abuse on that port, with something like fail2ban, but I still want clients from that IP to be able to access for example port 80. Not sure if this is possible with the static blacklist, since it problable sets up a blacklist table for blacklist and then I can add to that list with iptables commands. Well anyway it would be handy to have the option to only block a specific port in the dynamic blacklist. BR Robert ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Robert Lindgren wrote:> Thanks Tom, > > Are there any plans adding such a feature?No.> The reason for such a > feature is that I want to block a specific ip from a specific port, > lets say 22 since there has been abuse on that port, with something > like fail2ban, but I still want clients from that IP to be able to > access for example port 80. > > Not sure if this is possible with the static blacklist, since it > problable sets up a blacklist table for blacklist and then I can add > to that list with iptables commands.It is very possible with a blacklist based on ipsets. There are examples in the documentation. Unfortunately, ipsets still require kernel patching but they are by far the best mechanism available for maintaining large and/or dynamic sets of IP addresses and/or IP-Address/port pairs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Robert Lindgren wrote:>Are there any plans adding such a feature? The reason for such a >feature is that I want to block a specific ip from a specific port, >lets say 22 since there has been abuse on that port, with something >like fail2ban, but I still want clients from that IP to be able to >access for example port 80.I''m fairly certain fail2ban will do that if you configure it to. The owrst case is you have to edit the config files to make the fail2ban filter apply only to the specified port. No need to involve Shorewall. BTW - if you use fail2ban and SHorewall on the same machine, configure Shorewall to restart fail2ban after a shorewall (re)start. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On 3/27/08, Simon Hobson <linux@thehobsons.co.uk> wrote:> Robert Lindgren wrote: > > >Are there any plans adding such a feature? The reason for such a > >feature is that I want to block a specific ip from a specific port, > >lets say 22 since there has been abuse on that port, with something > >like fail2ban, but I still want clients from that IP to be able to > >access for example port 80. > > > I''m fairly certain fail2ban will do that if you configure it to. The > owrst case is you have to edit the config files to make the fail2ban > filter apply only to the specified port. > > No need to involve Shorewall.Well since fail2ban in it''s default mode in ubuntu uses iptables directly it will create i new table for it''s banned ip:s. And it will be removed when surewall is restarted.> > BTW - if you use fail2ban and SHorewall on the same machine, > configure Shorewall to restart fail2ban after a shorewall (re)start.Yes this might might solve my problems, since fail2ban will recreate it''s table when restarted. Cheers. Robert ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep wrote:> ... > Unfortunately, ipsets still require kernel patching but they are by far > the best mechanism available for maintaining large and/or dynamic sets > of IP addresses and/or IP-Address/port pairs.Why are ipsets taking so long to become an accepted part of netfilter? Paul ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Robert Lindgren wrote:> ... >> Robert Lindgren wrote: >> >> > Is it possible to blacklist an ip but only for a specific port? >> > shorewall drop <ip> <port> that is? >> > >>... > Are there any plans adding such a feature? The reason for such a > feature is that I want to block a specific ip from a specific port, > lets say 22 since there has been abuse on that port, with something > like fail2ban, but I still want clients from that IP to be able to > access for example port 80. > > Not sure if this is possible with the static blacklist, since it > problable sets up a blacklist table for blacklist and then I can add > to that list with iptables commands. > > Well anyway it would be handy to have the option to only block a > specific port in the dynamic blacklist.I''ve been doing a bit of thinking about this, having spent most of the day messing around with fail2ban in order to mitigate the effects of some crazy spam attacks. The dynamic blacklist is just a normal table called dynamic. There is nothing to stop you putting stuff in there manually in a way that suits your needs. So instead of running shorewall drop IP you would run iptables -A dynamic --src IP --proto tcp --dport 22 -j DROP The equivalent of shorewall allow IP would in this case be iptables -D dynamic --src IP --proto tcp --dport 22 -j DROP I personally don''t see the need to blacklist this way (given that the host is likely compromised and thus you shouldn''t trust any traffic from it), but there''s nothing to say you can''t do it if it makes sense to you. (One exception to this rule about compromised hosts might be port 80, which is commonly transparently proxied by ISPs.) In my fail2ban configuration i ended up using the dynamic blacklist as is, plus a null route command to prevent outgoing traffic to that host. (Thanks to Tuomo Soini for tips on this.) I also set BLACKLISTNEWONLY=No in shorewall.conf to make sure that packets which are part of existing connections get dropped. The particular spambot which is attacking my server attempts to relay multiple messages in a single (authenticated) TCP connection. Caveat: Note the performance considerations for blacklists in Shorewall at http://www.shorewall.net/blacklisting_support.htm Paul ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Paul Gear wrote:> Tom Eastep wrote: >> ... >> Unfortunately, ipsets still require kernel patching but they are by far >> the best mechanism available for maintaining large and/or dynamic sets >> of IP addresses and/or IP-Address/port pairs. > > Why are ipsets taking so long to become an accepted part of netfilter?Because the implementor (Jozsef Kadiecsik) wants to make changes before final release but has no time to work on Open Source. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Paul Gear wrote:> > The dynamic blacklist is just a normal table called dynamic. There is > nothing to stop you putting stuff in there manually in a way that suits > your needs. So instead of running > shorewall drop IP > you would run > iptables -A dynamic --src IP --proto tcp --dport 22 -j DROP > The equivalent of > shorewall allow IP > would in this case be > iptables -D dynamic --src IP --proto tcp --dport 22 -j DROPJust don''t "shorewall save" after you do that because "shorewall restore" from that save point will crash. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> I personally don''t see the need to blacklist this way (given that the > host is likely compromised and thus you shouldn''t trust any traffic from > it), but there''s nothing to say you can''t do it if it makes sense to > you. (One exception to this rule about compromised hosts might be port > 80, which is commonly transparently proxied by ISPs.)Well this proxying thingies the isps have is the sole reason why I can''t drop a host all together. But this is maybe not such a big issue in Sweden anyway, more AOL country. BR Robert ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep wrote:> Paul Gear wrote: > >> >> The dynamic blacklist is just a normal table called dynamic. There is >> nothing to stop you putting stuff in there manually in a way that suits >> your needs. So instead of running >> shorewall drop IP >> you would run >> iptables -A dynamic --src IP --proto tcp --dport 22 -j DROP >> The equivalent of >> shorewall allow IP >> would in this case be >> iptables -D dynamic --src IP --proto tcp --dport 22 -j DROP > > Just don''t "shorewall save" after you do that because "shorewall > restore" from that save point will crash.Another good reason not to do it! :-) Paul ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace