Shorewall users - Nov 2013 - best practices for using/saving (blacklist) ipsets

So, per a previous discussion on this list I have been using ipsets to
manage a fail2ban populated blacklist.  In the blacklist file I have:


<IP ADDRESS 1>
<IP ADDRESS 2>
...
<IP ADDRESS N>
+fail2ban
+fail2ban_perm


And then fail2ban has actions to insert and remove items from those
ipsets.  Good so far.

One problem is though that I am finding that those ipsets are not
automatically created.  I noticed a section in my init that is creating
ipsets:

#START IPSET CREATION -- DO NOT REMOVE
new_ipset() {
	local NAME="$1"
	ipset -L "$NAME" >/dev/null 2>&1 || {
		/bin/echo -e "$NAME...\c"
		ipset -N "$NAME" iphash
	}
}

/bin/echo -e "Creating any undefined ipsets...\c"
new_ipset "foo"
...
new_ipset "abc_gw"
IGS_GATEWAY=$(detect_gateway $ABCIF)
ipset -A abc_gw "$ABC_GATEWAY"
echo
#END IPSET CREATION -- DO NOT REMOVE

That code looks like something I would write but I don''t know where it
came from since it appears to be getting inserted into init by the
generated firewall script and I can''t find it anywhere else.

In any case, a couple of questions:

      * are ipsets in general supposed to be created by shorewall? 
      * are ipsets in the blacklist supposed to be created by
        shorewall? 
      * what''s the best known practices for saving *selected* ipsets so
        that shorewall reloads on them on restart/reload? 
              * I have a number of ipsets which I don''t think I want
                restored on a shorewall restart/reload 

I''m using Shorewall 4.5.15 on Fedora 19 FWIW.

Cheers,
b.



------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

On 11/26/2013 5:57 AM, Brian J. Murrell wrote:
> So, per a previous discussion on this list I have been using ipsets to
> manage a fail2ban populated blacklist.  In the blacklist file I have:
> 
> 
> <IP ADDRESS 1>
> <IP ADDRESS 2>
> ...
> <IP ADDRESS N>
> +fail2ban
> +fail2ban_perm
> 
> 
> And then fail2ban has actions to insert and remove items from those
> ipsets.  Good so far.
> 
> One problem is though that I am finding that those ipsets are not
> automatically created.  I noticed a section in my init that is creating
> ipsets:
> 
> #START IPSET CREATION -- DO NOT REMOVE
> new_ipset() {
> 	local NAME="$1"
> 	ipset -L "$NAME" >/dev/null 2>&1 || {
> 		/bin/echo -e "$NAME...\c"
> 		ipset -N "$NAME" iphash
> 	}
> }
> 
> /bin/echo -e "Creating any undefined ipsets...\c"
> new_ipset "foo"
> ...
> new_ipset "abc_gw"
> IGS_GATEWAY=$(detect_gateway $ABCIF)
> ipset -A abc_gw "$ABC_GATEWAY"
> echo
> #END IPSET CREATION -- DO NOT REMOVE
> 
> That code looks like something I would write but I don''t know
where it
> came from since it appears to be getting inserted into init by the
> generated firewall script and I can''t find it anywhere else.
It is not generated by Shorewall; must have been created by some other
product.
> 
> In any case, a couple of questions:
> 
>       * are ipsets in general supposed to be created by shorewall? 
Shorewall only creates ipsets that define dynamic zones. It does not
create other ipsets.
>       * are ipsets in the blacklist supposed to be created by
>         shorewall? 
No.
>       * what''s the best known practices for saving *selected*
ipsets so
>         that shorewall reloads on them on restart/reload? 
>               * I have a number of ipsets which I don''t think I
want
>                 restored on a shorewall restart/reload 
Create/load them in the ''init'' user exit when $COMMAND =
start; save
them in the ''stopped'' user exit.
> 
> I''m using Shorewall 4.5.15 on Fedora 19 FWIW.
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

On Tue, 2013-11-26 at 07:49 -0800, Tom Eastep wrote: 
> 
> It is not generated by Shorewall; must have been created by some other
> product.
Ahh.  It''s created in the compile "extension script" which I
didn''t
realize was an extension script and that I wrote it.  :-)  You know they
say the memory is the second thing to go, right?  :-)
> Create/load them in the ''init'' user exit
By that do you mean "init" or "initdone"?  I think you mean
"init" but
the "user exit" bit is throwing me.  Is that simply referring to the
end
of that init extension script or something more structured in that init
extension script?
> when $COMMAND = start; save
> them in the ''stopped'' user exit.
Cheers,
b.




------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

On 11/27/2013 2:27 PM, Brian J. Murrell wrote:
> 
> On Tue, 2013-11-26 at 07:49 -0800, Tom Eastep wrote: 
>>
>> It is not generated by Shorewall; must have been created by some other
>> product.
> 
> Ahh.  It''s created in the compile "extension script"
which I didn''t
> realize was an extension script and that I wrote it.  :-)  You know they
> say the memory is the second thing to go, right?  :-)
> 
>> Create/load them in the ''init'' user exit
> 
> By that do you mean "init" or "initdone"?  I think you
mean "init" but
> the "user exit" bit is throwing me.  Is that simply referring to
the end
> of that init extension script or something more structured in that init
> extension script?
''init'' and ''initdone'' are two different
extension scripts. See
http://www.shorewall.org/shorewall_extension_scripts.htm. I was
referring to ''init''. ''initdone'' is
deprecated now that Shorewall uses
iptables-restore rather than just iptables.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

On Wed, 2013-11-27 at 21:04 -0800, Tom Eastep wrote: 
> ''init'' and ''initdone'' are two different
extension scripts. See
> http://www.shorewall.org/shorewall_extension_scripts.htm. I was
> referring to ''init''.
Right.  This is what I suspected.

So when you said:
> Create/load them in the ''init'' user exit
Do you simply mean near the end of that script or is there something
more specific/structured about the "user exit" concept in extension
scripts?

Cheers,
b.




------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

On 11/28/2013 5:14 AM, Brian J. Murrell wrote:
> On Wed, 2013-11-27 at 21:04 -0800, Tom Eastep wrote: 
>> ''init'' and ''initdone'' are two
different extension scripts. See
>> http://www.shorewall.org/shorewall_extension_scripts.htm. I was
>> referring to ''init''.
> 
> Right.  This is what I suspected.
> 
> So when you said:
> 
>> Create/load them in the ''init'' user exit
> 
> Do you simply mean near the end of that script or is there something
> more specific/structured about the "user exit" concept in
extension
> scripts?
''User exit'' is a synonym for ''Extension
Script''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk