Discussion:
[Shorewall-users] Having accept only access
misc02
2017-05-13 11:20:54 UTC
Permalink
Hi

I've been using V4.5.4 for a while and it has worked fine.
I keep it simple and just add or remove entries from the blrules file.

typically just

DROP net:123.123.123.123 all
or the variation of IP addressing.

What I would like to do now is to deny all access to the site
except those I ACCEPT

ACCEPT net:123.123.123.123-123.123.123.124 all
or whatever.

I was wondering what the easiest way for me to
block everything excluding
network connections (special use blocks is that?)
such as 127.0.0.1 etc
(The server is a hosted dedicated one.)

and can I then just drop in my ACCEPT lines?

Normally I'd just run a local test but my test network is offline.

thanks

jaz
Matt Darfeuille
2017-05-13 15:37:13 UTC
Permalink
Post by misc02
Hi
I've been using V4.5.4 for a while and it has worked fine.
I keep it simple and just add or remove entries from the blrules file.
typically just
DROP net:123.123.123.123 all
or the variation of IP addressing.
What I would like to do now is to deny all access to the site
except those I ACCEPT
ACCEPT net:123.123.123.123-123.123.123.124 all
or whatever.
I was wondering what the easiest way for me to
block everything excluding
network connections (special use blocks is that?)
such as 127.0.0.1 etc
(The server is a hosted dedicated one.)
From:
http://shorewall.org/manpages/shorewall-blrules.html

"Example 2:
Don't subject packets from 2001:DB8::/64 to the remaining rules in the file.
WHITELIST net:[2001:DB8::/64] all"

So the following should do what you want:

WHITELIST ...
DROP ...


See also:
http://shorewall.org/configuration_file_basics.htm#Exclusion
http://shorewall.org/manpages/shorewall-exclusion.html
Post by misc02
and can I then just drop in my ACCEPT lines?
Normally I'd just run a local test but my test network is offline.
-Matt
--
Matt Darfeuille
misc02
2017-05-14 10:54:12 UTC
Permalink
Thanks Matt -

I'm not sure if I can do it the following way - I'm trying to keep
the blrules file as obvious as possible by separating the whitelist
from the excluded ranges within it. The idea is that this would make
it easy to just put in a new IP or IP range to DROP without having
to work out which CIDR block it is included in every time and
keep the lines short if multiple randoms need DROPing in a range
at later dates.

IE will my EXCLUSION block go back and remove that range
from the WHITELIST and my DROP block drop everything not whitelisted?

this is a sample blrules to show what I'm trying to do - would this
work?:

------------------------------------------------------------------
#
# Shorewall version 4 - Blacklist Rules File
#
# For information about entries in this file, type "man
shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for
additional
# information.
#
###################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP

### WHITELIST BLOCK STARTS HERE ###

# system and specials
WHITELIST net:[2001:DB8::/64] all

# rest of whitelists
WHITELIST net:2.16.9.0/24 all
WHITELIST net:64.209.92.221/32 all

## END WHITELIST

### EXCLUSION BLOCK STARTS HERE ###

# EXCLUSION LIST FROM ABOVE WHITELISTING
# This is added AFTER the whitelist rules
# To remove the ranges from the whitelist
# When a whitelist block is added put the
# exclusions to it here

WHITELIST !2.16.9.1-2.16.9.128 all


### DROP BLOCK STARTS HERE ###

# THIS SECTION IS THE MAIN DROP LIST
# This drops everything not in the
# whitelist block - to be clear ...
# The exclusion block is dropped too

DROP net:0.0.0.0-255.255.255.255 all

--------------------------- END -----------------------------------

Will this work or can you see a way to do something similar?

thanks
jaz
Post by Matt Darfeuille
http://shorewall.org/manpages/shorewall-blrules.html
Don't subject packets from 2001:DB8::/64 to the remaining rules in the file.
WHITELIST net:[2001:DB8::/64] all"
WHITELIST ...
DROP ...
http://shorewall.org/configuration_file_basics.htm#Exclusion
http://shorewall.org/manpages/shorewall-exclusion.html
-Matt
Matt Darfeuille
2017-05-14 15:16:40 UTC
Permalink
Post by misc02
Thanks Matt -
I'm not sure if I can do it the following way - I'm trying to keep
the blrules file as obvious as possible by separating the whitelist
from the excluded ranges within it. The idea is that this would make
it easy to just put in a new IP or IP range to DROP without having
to work out which CIDR block it is included in every time and
keep the lines short if multiple randoms need DROPing in a range
at later dates.
IE will my EXCLUSION block go back and remove that range
from the WHITELIST and my DROP block drop everything not whitelisted?
I don't think you need exclusion.
Post by misc02
this is a sample blrules to show what I'm trying to do - would this
------------------------------------------------------------------
#
# Shorewall version 4 - Blacklist Rules File
#
# For information about entries in this file, type "man
shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for
additional
# information.
#
###################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
### WHITELIST BLOCK STARTS HERE ###
# system and specials
WHITELIST net:[2001:DB8::/64] all
# rest of whitelists
WHITELIST net:2.16.9.0/24 all
WHITELIST net:64.209.92.221/32 all
## END WHITELIST
### EXCLUSION BLOCK STARTS HERE ###
# EXCLUSION LIST FROM ABOVE WHITELISTING
# This is added AFTER the whitelist rules
# To remove the ranges from the whitelist
# When a whitelist block is added put the
# exclusions to it here
WHITELIST !2.16.9.1-2.16.9.128 all
### DROP BLOCK STARTS HERE ###
# THIS SECTION IS THE MAIN DROP LIST
# This drops everything not in the
# whitelist block - to be clear ...
# The exclusion block is dropped too
DROP net:0.0.0.0-255.255.255.255 all
--------------------------- END -----------------------------------
Will this work or can you see a way to do something similar?
Everything that's not in the WHITELIST action will be DROPped.

Assuming I got that right and based on your example (IPv4) only):

WHITELIST net:192.168.1.0/24 all
DROP net all

Any IPs from the net zone will be dropped but 192.168.1.0/24.


If you want a more flexible way to add or remove whitelisted IPs you
could do something like:
/etc/shorewall/params

NET_ALLOWED_IP=extra-whitelisted-ips

/etc/shorewall/blrules:

WHITELIST net:192.168.1.0/24,$NET_ALLOWED_IP
DROP net all

Only 192.168.1.0/24 and the value of '$NET_ALLOWED_IP' will be whitelisted.

or with ipset (you don't need the params file for this)

WHITELIST net:+ipset_name,192.168.1.0/24
DROP net all

Only 192.168.1.0/24 and the IPS specified in the 'ipset_name' will be
whitelisted

or be even more creative with conditionel statement!!!:)
Post by misc02
Post by Matt Darfeuille
http://shorewall.org/manpages/shorewall-blrules.html
Don't subject packets from 2001:DB8::/64 to the remaining rules in the file.
WHITELIST net:[2001:DB8::/64] all"
WHITELIST ...
DROP ...
http://shorewall.org/configuration_file_basics.htm#Exclusion
http://shorewall.org/manpages/shorewall-exclusion.html
-Matt
--
Matt Darfeuille
Matt Darfeuille
2017-05-14 16:52:52 UTC
Permalink
Post by Matt Darfeuille
Post by misc02
Thanks Matt -
I'm not sure if I can do it the following way - I'm trying to keep
the blrules file as obvious as possible by separating the whitelist
from the excluded ranges within it. The idea is that this would make
it easy to just put in a new IP or IP range to DROP without having
to work out which CIDR block it is included in every time and
keep the lines short if multiple randoms need DROPing in a range
at later dates.
IE will my EXCLUSION block go back and remove that range
from the WHITELIST and my DROP block drop everything not whitelisted?
I don't think you need exclusion.
Post by misc02
this is a sample blrules to show what I'm trying to do - would this
------------------------------------------------------------------
#
# Shorewall version 4 - Blacklist Rules File
#
# For information about entries in this file, type "man
shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for
additional
# information.
#
###################################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
### WHITELIST BLOCK STARTS HERE ###
# system and specials
WHITELIST net:[2001:DB8::/64] all
# rest of whitelists
WHITELIST net:2.16.9.0/24 all
WHITELIST net:64.209.92.221/32 all
## END WHITELIST
### EXCLUSION BLOCK STARTS HERE ###
# EXCLUSION LIST FROM ABOVE WHITELISTING
# This is added AFTER the whitelist rules
# To remove the ranges from the whitelist
# When a whitelist block is added put the
# exclusions to it here
WHITELIST !2.16.9.1-2.16.9.128 all
### DROP BLOCK STARTS HERE ###
# THIS SECTION IS THE MAIN DROP LIST
# This drops everything not in the
# whitelist block - to be clear ...
# The exclusion block is dropped too
DROP net:0.0.0.0-255.255.255.255 all
--------------------------- END -----------------------------------
Will this work or can you see a way to do something similar?
Everything that's not in the WHITELIST action will be DROPped.
WHITELIST net:192.168.1.0/24 all
DROP net all
Any IPs from the net zone will be dropped but 192.168.1.0/24.
If you want a more flexible way to add or remove whitelisted IPs you
/etc/shorewall/params
NET_ALLOWED_IP=extra-whitelisted-ips
WHITELIST net:192.168.1.0/24,$NET_ALLOWED_IP
DROP net all
Only 192.168.1.0/24 and the value of '$NET_ALLOWED_IP' will be whitelisted.
or with ipset (you don't need the params file for this)
WHITELIST net:+ipset_name,192.168.1.0/24
DROP net all
Only 192.168.1.0/24 and the IPS specified in the 'ipset_name' will be
whitelisted
or be even more creative with conditionel statement!!!:)
To more directly answer your question:

You could do:

/etc/shorewall/blrules
# Change those value in the params file
WHITELIST $NET_ALLOWED_IP!$NET_EXCLUDE_IP
DROP net all


/etc/shorewall/params
# Blacklisting/Whitelisting
#
# Allowed IPs from net
#
NET_ALLOWED_IP=2.16.9.0/24
#
# Exclude those IPs from being whitelisted
#
NET_EXCLUDE_IP=2.16.9.1-2.16.9.128


The idea is to have the exclusion on the same line!
Post by Matt Darfeuille
Post by misc02
Post by Matt Darfeuille
http://shorewall.org/manpages/shorewall-blrules.html
Don't subject packets from 2001:DB8::/64 to the remaining rules in the file.
WHITELIST net:[2001:DB8::/64] all"
WHITELIST ...
DROP ...
http://shorewall.org/configuration_file_basics.htm#Exclusion
http://shorewall.org/manpages/shorewall-exclusion.html
-Matt
--
Matt Darfeuille
Loading...