Hello there, I''d like to understand something. Today I tried to blacklist one single IP via the /etc/shorewall/blacklist file (+ blacklist option activated on my "net" interfaces + shorewall restarted) I couldn''t block the trafic through my gateway (= my shorewall) I saw with iptables a new chain "blacklst", containing one DROP rules with the IP I tried to block. The byte counter didn''t increase, but the byte counter for the blacklst chain did. The trafic (from net -> dmz) was still going on. So I decided to insert (not append) a DROP rule directly with iptables (in INPUT chain), still not working. Then I decided to insert the same in the FORWARD chain, the traffic stopped, which I can understand because it was some trafic "through" the FW. ==> Question: what does the blacklist option do / do not? not adding in FORWARD ? not adding everywhere, let say? Have I done something wrong? Thank you, JM. (running Debian "stable", shorewall 3.2.6-2, linux 2.6.17.8 smp i686) ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
JM wrote:> Hello there, > > I''d like to understand something. > Today I tried to blacklist one single IP via the > /etc/shorewall/blacklist file (+ blacklist option activated on my "net" > interfaces + shorewall restarted) > I couldn''t block the trafic through my gateway (= my shorewall) > > I saw with iptables a new chain "blacklst", containing one DROP rules > with the IP I tried to block. > The byte counter didn''t increase, but the byte counter for the blacklst > chain did. > The trafic (from net -> dmz) was still going on. > > So I decided to insert (not append) a DROP rule directly with iptables > (in INPUT chain), still not working. > Then I decided to insert the same in the FORWARD chain, the traffic > stopped, which I can understand because it was some trafic "through" the FW. > > ==> Question: what does the blacklist option do / do not? not adding in > FORWARD ? not adding everywhere, let say? > Have I done something wrong?Blacklisting is applied to both INPUT and FORWARD. Your confusion probably stems from having BLACKLISTNEWONLY=Yes in shorewall.conf. With that setting, only NEW connections are blocked -- existing connections continue to work. If you want to be able to use blacklisting to break existing connections then you must set BLACKLISTNEWONLY=No, ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Ok Thank you, I''ll try this. I was afraid of something like that, so I kept my connection down for some moments, probably long enough :) Regards, JM Shorewall Guy wrote:> JM wrote: > >> Hello there, >> >> I''d like to understand something. >> Today I tried to blacklist one single IP via the >> /etc/shorewall/blacklist file (+ blacklist option activated on my "net" >> interfaces + shorewall restarted) >> I couldn''t block the trafic through my gateway (= my shorewall) >> >> I saw with iptables a new chain "blacklst", containing one DROP rules >> with the IP I tried to block. >> The byte counter didn''t increase, but the byte counter for the blacklst >> chain did. >> The trafic (from net -> dmz) was still going on. >> >> So I decided to insert (not append) a DROP rule directly with iptables >> (in INPUT chain), still not working. >> Then I decided to insert the same in the FORWARD chain, the traffic >> stopped, which I can understand because it was some trafic "through" the FW. >> >> ==> Question: what does the blacklist option do / do not? not adding in >> FORWARD ? not adding everywhere, let say? >> Have I done something wrong? >> > > Blacklisting is applied to both INPUT and FORWARD. Your confusion > probably stems from having BLACKLISTNEWONLY=Yes in shorewall.conf. With > that setting, only NEW connections are blocked -- existing connections > continue to work. If you want to be able to use blacklisting to break > existing connections then you must set BLACKLISTNEWONLY=No, > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword