I came across an interesting article on ipsets and would like to incorporate the techniques in it into my shorewall configuration. Right now I am using scripts in /etc/local.d to add the rules after shorewall has been started normally but I''d like to be able to do it the right way. http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset?page=0,2 The rule I have set up matches packets with --state NEW and certain destination ports and then uses -j SET --add-set to add the source ip address to my blacklist ipset. What would be the right way to do this entirely within shorewall, without using an external script to modify the filter table after shorewall is done loading? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/28/12 8:08 PM, Jack Byer wrote:> > What would be the right way to do this entirely within shorewall, > without using an external script to modify the filter table after > shorewall is done loading?http://www.shorewall.net/manpages/shorewall-rules.html and look at the SET action. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/28/12 8:08 PM, Jack Byer wrote:> What would be the right way to do this entirely within shorewall, > without using an external script to modify the filter table after > shorewall is done loading? >Make that the ADD action. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Mon, May 28, 2012 at 10:25 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 5/28/12 8:08 PM, Jack Byer wrote: > >> >> What would be the right way to do this entirely within shorewall, >> without using an external script to modify the filter table after >> shorewall is done loading? > > http://www.shorewall.net/manpages/shorewall-rules.html and look at the > SET action. > > -TomThank you. That''s exactly what I was looking for. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Mon, May 28, 2012 at 10:29 PM, Tom Eastep <teastep@shorewall.net> wrote:> > Make that the ADD action. >I managed to find it anyway but now I''m running into another difficulty. How do I express in /etc/shorewall/rules that I want to match all packets whose source (or destination) port matches a bitmap:port ipset? Adding +setname to what seems to be the right column doesn''t actually work. What I want to have is an ipset consisting of ports for which any attempt to connect to them from the internet will automatically cause the source ip address to be added to a blacklist ipset. (In the future I will invert this rule to an ipset holding a whitelist of ports for which incoming connections are allowed and will send all other connection attempts directly to the ip blacklist). ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/28/2012 08:50 PM, Jack Byer wrote:> On Mon, May 28, 2012 at 10:29 PM, Tom Eastep<teastep@shorewall.net> wrote: >> >> Make that the ADD action. >> > > I managed to find it anyway but now I''m running into another > difficulty. How do I express in /etc/shorewall/rules that I want to > match all packets whose source (or destination) port matches a > bitmap:port ipset? Adding +setname to what seems to be the right > column doesn''t actually work.The right column is either the SOURCE or DEST column. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/