Shorewall users - Jul 2013 - Adding ctstate ESTABLISHED for dynamic blacklisting

Currently when I want to dynamically blacklist an ip I can run :
# shorewall block $ip
However the rules that are added are generated from
-A loc2net -m conntrack --ctstate NEW,INVALID -j dynamic
-A net2loc -m conntrack --ctstate NEW,INVALID -j dynamic
... and so on.
So if I want to block an IP that''s already has an ESTABLISHED
connection, i have to block it, then kill the connection. In my case I
had to do something like:
# shorewall drop $ip
# sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=0
# sleep 2s
# sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=180
(default value)

note: I was dealing with a UDP connection (established SIP which times
out in 180s)

The problem I see is that when we want to add to the blacklist
dynamically, there''s probably an immediate issue that needs
resolution. If it was premeditated we''d just add the ip to blacklist
or blrules.

Is it possible to change the ctstate for the target chain
''dynamic'' to
include ESTABLISH??

Thanks

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

On 07/17/2013 05:10 PM, johnny bowen wrote:
> Currently when I want to dynamically blacklist an ip I can run :
> # shorewall block $ip
> However the rules that are added are generated from
> -A loc2net -m conntrack --ctstate NEW,INVALID -j dynamic
> -A net2loc -m conntrack --ctstate NEW,INVALID -j dynamic
> ... and so on.
> So if I want to block an IP that''s already has an ESTABLISHED
> connection, i have to block it, then kill the connection. In my case I
> had to do something like:
> # shorewall drop $ip
> # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=0
> # sleep 2s
> # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=180
> (default value)
> 
> note: I was dealing with a UDP connection (established SIP which times
> out in 180s)
> 
> The problem I see is that when we want to add to the blacklist
> dynamically, there''s probably an immediate issue that needs
> resolution. If it was premeditated we''d just add the ip to
blacklist
> or blrules.
> 
> Is it possible to change the ctstate for the target chain
''dynamic'' to
> include ESTABLISH??
Depending on your shorewall version, check out BLACKLISTNEWONLY or
BLACKLIST in shorewall.conf (5).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

Shorewall Version 4.5.4

Yes that will do just fine.
However it might be nice to have a separate option for dynamic
blocking that defaults to BLACKLISTNEWONLY=No.

like
BLACKLISTDYNAMICNEWONLY=No

Thanks again.. I''ll just use that for now.



On Wed, Jul 17, 2013 at 5:45 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> On 07/17/2013 05:10 PM, johnny bowen wrote:
>> Currently when I want to dynamically blacklist an ip I can run :
>> # shorewall block $ip
>> However the rules that are added are generated from
>> -A loc2net -m conntrack --ctstate NEW,INVALID -j dynamic
>> -A net2loc -m conntrack --ctstate NEW,INVALID -j dynamic
>> ... and so on.
>> So if I want to block an IP that''s already has an ESTABLISHED
>> connection, i have to block it, then kill the connection. In my case I
>> had to do something like:
>> # shorewall drop $ip
>> # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=0
>> # sleep 2s
>> # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=180
>> (default value)
>>
>> note: I was dealing with a UDP connection (established SIP which times
>> out in 180s)
>>
>> The problem I see is that when we want to add to the blacklist
>> dynamically, there''s probably an immediate issue that needs
>> resolution. If it was premeditated we''d just add the ip to
blacklist
>> or blrules.
>>
>> Is it possible to change the ctstate for the target chain
''dynamic'' to
>> include ESTABLISH??
>
> Depending on your shorewall version, check out BLACKLISTNEWONLY or
> BLACKLIST in shorewall.conf (5).
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
>
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

Sent from my iPad

On Jul 17, 2013, at 7:17 PM, johnny bowen <jbowen7@gmail.com> wrote:
> Shorewall Version 4.5.4
> 
> Yes that will do just fine.
> However it might be nice to have a separate option for dynamic
> blocking that defaults to BLACKLISTNEWONLY=No.
> 
> like
> BLACKLISTDYNAMICNEWONLY=No
> 
> Thanks again.. I''ll just use that for now.
You can always set BLACKLIST=NEW,ESTABLISHED, then make your first blrules entry

     Established(CONTINUE)

Tom
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

I didn''t know I could do that:
Established(Continue)
Very nice.

Unfortunately I don''t think the Blacklist option is available in 4.5.4.

I did read in the docs that setting blacklistnewonly=Yes can significantly
slow down the firewall if the blacklist file is large.

A bit unfortunate.  Perhaps i''ll leave blacklistnewonly=true and
remember
to kill established connections. Sort of a hassle sometimes... when killing
the connection isn''t as easy as just killing the pid.

What would be ideal is when shorewall drop is called it would add  the ip
to the dynamic chain and ALSO kill the nf_conntrack connection.
On Jul 17, 2013 10:11 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
>
>
> Sent from my iPad
>
> On Jul 17, 2013, at 7:17 PM, johnny bowen <jbowen7@gmail.com> wrote:
>
> > Shorewall Version 4.5.4
> >
> > Yes that will do just fine.
> > However it might be nice to have a separate option for dynamic
> > blocking that defaults to BLACKLISTNEWONLY=No.
> >
> > like
> > BLACKLISTDYNAMICNEWONLY=No
> >
> > Thanks again.. I''ll just use that for now.
>
> You can always set BLACKLIST=NEW,ESTABLISHED, then make your first blrules
> entry
>
>      Established(CONTINUE)
>
> Tom
>
>
------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
>
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk