Hi,
I''m trying to figure out how to interrupt a connection temporarily.
Suppose I want to stop traffic going to 123.123.123.123 then re-allow it later
on.
I have BLACKLISTNEWONLY=Yes in shorewall.conf.
On my shorewall bridge I run:
# tcpkill -i br0 "dst host 123.123.123.123"
This interrupts my TCP connection as expected.
# shorewall show connections | grep 123.123.123.123
tcp 6 5 CLOSE src=10.215.144.48 dst=123.123.123.123 sport=2187 dport=80
packets=284 bytes=11908 src=123.123.123.123 dst=10.215.144.48 sport=80
dport=2187 packets=618 bytes=773183 [ASSURED] mark=0 use=1
After a short while the above command yields no output.
Then I run:
# shorewall reject 123.123.123.123
123.123.123.123 Rejected
However, if I try to connect I succeed when I shouldn''t be able to.
Do I require to set "blacklist" in the interfaces file?
Thanks,
Vieri
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
On 8/9/10 5:53 AM, Vieri Di Paola wrote:> Hi, > > I''m trying to figure out how to interrupt a connection temporarily. > > Suppose I want to stop traffic going to 123.123.123.123 then re-allow it later on. > > I have BLACKLISTNEWONLY=Yes in shorewall.conf. > > On my shorewall bridge I run: > # tcpkill -i br0 "dst host 123.123.123.123" > > This interrupts my TCP connection as expected. > > # shorewall show connections | grep 123.123.123.123 > tcp 6 5 CLOSE src=10.215.144.48 dst=123.123.123.123 sport=2187 dport=80 packets=284 bytes=11908 src=123.123.123.123 dst=10.215.144.48 sport=80 dport=2187 packets=618 bytes=773183 [ASSURED] mark=0 use=1 > > After a short while the above command yields no output. > > Then I run: > # shorewall reject 123.123.123.123 > 123.123.123.123 Rejected > > However, if I try to connect I succeed when I shouldn''t be able to. > > Do I require to set "blacklist" in the interfaces file?Shorewall blacklisting blacklists the SOURCE address, not the DESTINATION address. From the ''show connections'' output, the original connection was TO 123.123.123.123, not FROM that host. So after blacklisting that IP, you can still connect to it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
--- On Mon, 8/9/10, Tom Eastep <teastep@shorewall.net> wrote:> Shorewall blacklisting blacklists the SOURCE address, not > the > DESTINATION address. From the ''show connections'' output, > the original > connection was TO 123.123.123.123, not FROM that host. > > So after blacklisting that IP, you can still connect to > it.Thanks. Is there a way to "dynamically" blacklist a destination address? (and "de-blacklist" it) Vieri ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/9/10 8:17 AM, Vieri Di Paola wrote:> > > --- On Mon, 8/9/10, Tom Eastep <teastep@shorewall.net> wrote: > >> Shorewall blacklisting blacklists the SOURCE address, not >> the >> DESTINATION address. From the ''show connections'' output, >> the original >> connection was TO 123.123.123.123, not FROM that host. >> >> So after blacklisting that IP, you can still connect to >> it. > > Thanks. > Is there a way to "dynamically" blacklist a destination address? (and "de-blacklist" it)No. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
-----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, 9 August 2010 11:28 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] connection rejection On 8/9/10 8:17 AM, Vieri Di Paola wrote:> > > --- On Mon, 8/9/10, Tom Eastep <teastep@shorewall.net> wrote: > >> Shorewall blacklisting blacklists the SOURCE address, not the >> DESTINATION address. From the ''show connections'' output, the original >> connection was TO 123.123.123.123, not FROM that host. >> >> So after blacklisting that IP, you can still connect to it. > > Thanks. > Is there a way to "dynamically" blacklist a destination address? (and > "de-blacklist" it)No. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ Although at Linux command line you could do: sudo ip route add blackhole 123.123.123.123 And remove it with: sudo ip route del blackhole 123.123.123.123 Kind regards, Trent O''Callaghan ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
--- On Tue, 8/10/10, Trent O''Callaghan <trent.ocallaghan@nearmap.com> wrote:> Although at Linux command line you could do: > > sudo ip route add blackhole 123.123.123.123 > > And remove it with: > > sudo ip route del blackhole 123.123.123.123Thanks! ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/10/10 1:37 AM, Vieri Di Paola wrote:> > > --- On Tue, 8/10/10, Trent O''Callaghan <trent.ocallaghan@nearmap.com> wrote: > >> Although at Linux command line you could do: >> >> sudo ip route add blackhole 123.123.123.123 >> >> And remove it with: >> >> sudo ip route del blackhole 123.123.123.123 > > > Thanks!Yes, thanks Trent. I mis-interpreted Vieri''s question to mean a ''shorewall command'' rather than any command. An alternative would be: sudo iptables -A dynamic -d 123.123.123.123 -j DROP and sudo iptables -D dynamic -d 123.123.123.123 -j DROP -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
--- On Tue, 8/10/10, Tom Eastep <teastep@shorewall.net> wrote:> An alternative would be: > > sudo iptables -A dynamic -d 123.123.123.123 -j DROP > > and > > sudo iptables -D dynamic -d 123.123.123.123 -j DROPThanks again! Vieri ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/10/10 4:12 PM, Vieri Di Paola wrote:> > > --- On Tue, 8/10/10, Tom Eastep <teastep@shorewall.net> wrote: > >> An alternative would be: >> >> sudo iptables -A dynamic -d 123.123.123.123 -j DROP >> >> and >> >> sudo iptables -D dynamic -d 123.123.123.123 -j DROP > > > Thanks again!You''re welcome Given the frequency with which this comes up, 4.4.12 RC1 will support blacklisting by destination IP. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev