Tom Eastep
2017-06-15 15:06:34 UTC
Hi,
I'd like to know how to rewrite my custom Drop action for Shorewall
5.1.
My goal is to add the SRC IP address of a remote host that tries to
connect to an "unpublished"/unavailable port. To do that I created
a custom DROP action and included it at the very end of my rules
file.
# grep -v ^# /etc/shorewall/action.DROPBL | grep -v ^$ ?warning
"You are using the deprecated Drop default action. Please see
@1 eq 'audit' DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP ?else
?error The first parameter to Drop must be 'audit' or '-' ?endif
?else DEFAULTS -,-,DROP,ACCEPT,DROP,DROP ?endif COUNT ?if
ADD(POL_BL:src)
# grep DROP_DEFAULT /etc/shorewall/shorewall.conf
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
# tail -n 1 /etc/shorewall/rules DROPBL:info:polbl net4
all
# grep ^net4 /etc/shorewall/policy net4 $FW
DROP net4 loc DROP net4 dmz
DROP net4 net3 DROP net4 net2
DROP net4 net1 DROP net4 all
DROP
First of all I was thinking of changing my rules file and replacing
DROPBL:info:polbl net4 all
ADD(POL_BL:src):info:polbl net4 all
Would I get the same behavior, considering that the default policy
is DROP? If that were the case I would not need to define the
DROPBL custom action.
If not, how would I need to re-write my custom action?
I tried the solution to replace DROPBL with ADD and got the
# grep LOGTAGONLY /etc/shorewall/shorewall.conf LOGTAGONLY=Yes
WARNING: Log Prefix shortened to "Shorewall:polbl:ADD(POL_BL:s "
This is on a box with Shorewall 5.0.15.6. Despite the log tag issue
the rest seems to be working as expected.
With shorewall 5.1.4.1 the log tag warning doesn't show up, but I'm
still in the process of moving to that version.
Since Shorewall 5.1.1, using a hacked up Drop action is no longer theI'd like to know how to rewrite my custom Drop action for Shorewall
5.1.
My goal is to add the SRC IP address of a remote host that tries to
connect to an "unpublished"/unavailable port. To do that I created
a custom DROP action and included it at the very end of my rules
file.
# grep -v ^# /etc/shorewall/action.DROPBL | grep -v ^$ ?warning
"You are using the deprecated Drop default action. Please see
@1 eq 'audit' DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP ?else
?error The first parameter to Drop must be 'audit' or '-' ?endif
?else DEFAULTS -,-,DROP,ACCEPT,DROP,DROP ?endif COUNT ?if
ADD(POL_BL:src)
# grep DROP_DEFAULT /etc/shorewall/shorewall.conf
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
# tail -n 1 /etc/shorewall/rules DROPBL:info:polbl net4
all
# grep ^net4 /etc/shorewall/policy net4 $FW
DROP net4 loc DROP net4 dmz
DROP net4 net3 DROP net4 net2
DROP net4 net1 DROP net4 all
DROP
First of all I was thinking of changing my rules file and replacing
DROPBL:info:polbl net4 all
ADD(POL_BL:src):info:polbl net4 all
Would I get the same behavior, considering that the default policy
is DROP? If that were the case I would not need to define the
DROPBL custom action.
If not, how would I need to re-write my custom action?
I tried the solution to replace DROPBL with ADD and got the
# grep LOGTAGONLY /etc/shorewall/shorewall.conf LOGTAGONLY=Yes
WARNING: Log Prefix shortened to "Shorewall:polbl:ADD(POL_BL:s "
This is on a box with Shorewall 5.0.15.6. Despite the log tag issue
the rest seems to be working as expected.
With shorewall 5.1.4.1 the log tag warning doesn't show up, but I'm
still in the process of moving to that version.
best way to accomplish what you are trying to do. The recommended way
is to define the net4->* policies to be BLACKLIST, and set
DYNAMIC_BLACKLIST to use the POL_BL ipset.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________