I would like to add in a blacklist from lists of known bad IPs/Domains (scammers/spammers/phishers/etc.), but seem to be having some problems. I add the list into the /etc/shorewall/blacklist file and then either restart or refresh shorewall, but it never finishes. When I look at iptables while shorewall is starting I see a number of rules added, but then I see a number of rules added for dropping from the opendns fail servers (hit-nxdomain.opendns.com and hit-servfail.opendns.com). I assume these are from it doing lookups on domains that are no longer there since the list was compiled, so it ends up adding rules blocking those, which then seems to halt the list processing shortly thereafter. I tried adding ACCEPT rules in for the ip ranges and domain names for the opendns servers but it didn''t make a difference (apparently the blacklist processing overrides the rules in the rules file?). Is there anything I can do short of pre-processing the lists to filter out the no-longer-there domains? I''m currently using shorewall 3.4.8 (yeah I know, I just haven''t taken the time to upgrade and figure out what all I would need to reconfigure since this is my VPS box). Thanks. Mark II -- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
On 8/22/2013 9:06 PM, Mark D. Montgomery II wrote:> I would like to add in a blacklist from lists of known bad IPs/Domains > (scammers/spammers/phishers/etc.), but seem to be having some problems. > > I add the list into the /etc/shorewall/blacklist file and then either > restart or refresh shorewall, but it never finishes. > When I look at iptables while shorewall is starting I see a number of > rules added, but then I see a number of rules added for dropping from > the opendns fail servers (hit-nxdomain.opendns.com and > hit-servfail.opendns.com). > I assume these are from it doing lookups on domains that are no longer > there since the list was compiled, so it ends up adding rules blocking > those, which then seems to halt the list processing shortly thereafter.FAPlacing DNS names in the Shorewall config files is a really bad idea. See http://www.shorewall.net/co.nfiguration_file_basics.htm#dnsnames> > I tried adding ACCEPT rules in for the ip ranges and domain names for > the opendns servers but it didn''t make a difference (apparently the > blacklist processing overrides the rules in the rules file?).Yes.> > Is there anything I can do short of pre-processing the lists to filter > out the no-longer-there domains?My advice is to not use Shorewall to filter by DNS name. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
Thanks. I''ll look into other ways of getting the list blocked then. Mark II Quoting Tom Eastep <teastep@shorewall.net>:> On 8/22/2013 9:06 PM, Mark D. Montgomery II wrote: >> I would like to add in a blacklist from lists of known bad IPs/Domains >> (scammers/spammers/phishers/etc.), but seem to be having some problems. >> >> I add the list into the /etc/shorewall/blacklist file and then either >> restart or refresh shorewall, but it never finishes. >> When I look at iptables while shorewall is starting I see a number of >> rules added, but then I see a number of rules added for dropping from >> the opendns fail servers (hit-nxdomain.opendns.com and >> hit-servfail.opendns.com). >> I assume these are from it doing lookups on domains that are no longer >> there since the list was compiled, so it ends up adding rules blocking >> those, which then seems to halt the list processing shortly thereafter.FA > > Placing DNS names in the Shorewall config files is a really bad idea. > See http://www.shorewall.net/co.nfiguration_file_basics.htm#dnsnames >> >> I tried adding ACCEPT rules in for the ip ranges and domain names for >> the opendns servers but it didn''t make a difference (apparently the >> blacklist processing overrides the rules in the rules file?). > > Yes. > >> >> Is there anything I can do short of pre-processing the lists to filter >> out the no-longer-there domains? > > My advice is to not use Shorewall to filter by DNS name. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk