[Shorewall-users] Clarification on using blacklist

Discussion:

Ob Noxious

2016-09-29 22:54:51 UTC

Hi,

I'm currently using DYNAMIC_BLACKLIST=ipset and "shorewall show bl"
displays the contents of the ipset "SW_DBL4" as long as the contents of the
"dynamic" chain.

If I switch to "ipset-only" the only difference is the absence of the
"dynamic" chain contents.

Entries in "blrules" have their own private chain and using "shorewall
blacklist 1.2.3.4" always end up in the SW_DBL4 ipset

So I wonder: What's the real difference between "ipset" and "ipset-only"?

I mean, I fail to see how to populate the "dynamic" chain when using either
of these options so in what do they differ?

--
ObNox

Tom Eastep

2016-09-29 23:28:18 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Post by Ob Noxious
Hi,
I'm currently using DYNAMIC_BLACKLIST=ipset and "shorewall show
bl" displays the contents of the ipset "SW_DBL4" as long as the
contents of the "dynamic" chain.
If I switch to "ipset-only" the only difference is the absence of
the "dynamic" chain contents.
Entries in "blrules" have their own private chain and using
"shorewall blacklist 1.2.3.4" always end up in the SW_DBL4 ipset
So I wonder: What's the real difference between "ipset" and
"ipset-only"?
I mean, I fail to see how to populate the "dynamic" chain when
using either of these options so in what do they differ?

You populate the dynamic chain with the 'drop', 'reject', 'logdrop'
and 'logreject' commands.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJX7aOSAAoJEJbms/JCOk0Q2VoP/3CntDyh1JVMQAe4XHZ7Y1l6
NhEtMMJ+l8oiQcQuHs5i3WkAbUtUANlWqH8NEveL3GHQ8uaWVi9Q5paDwo5BBbY+
Tc5uooViuIDxiqm0pcadxLv/jBK+4R29eyNJZZZPG/v1oqNSLm6fvuGXetH1Ves8
xUBFTWMbERV0aybmX7DcwBaXR6T09vR1ud6qMhzkvpPLFjhaZzlb6YU++fCyBZfx
92TbmAX3HSEaVm8uxAurC+Mo3DxP02Rx/DWHu1F2nPbL6tiaeQcvmBiSdQ8DNVqK
J9pM8Ms79ux9YFz7XWEqYBUZsQJV+L0yjgEr6FBE8rTfj7IauJbpuksHlcg/3Yox
7BMNp2TRvlBHBzij89kh4tnEXx/ebHzSIRTW4ZT97Su63spz3YElkTg/rIyyHv3P
iMLsbB86bcS4uFzqRjH+XgeIc7WErdK+x/z4gw3p+u4IL96E0wCtrjQtdPvNPZnN
QNRJO7iMyYoJIQsZt5T9YtrFgibrTgrRM9xvc0cQtis++17xpeNaXrgDDhm2/SrO
g1MDvLUmwmct4ib7s4/OybInvp8KnWt8FMKbTbpntU4cHFa1O7CYZRzC/pWUnx2O
EybEzf24QNMuhycc5XG7i1ISW6V67Xmgtp+1HIrIfMQO51oOjSzcbZ+4//0MEg8A
YWAmqrDr3J3vcBXkb0n3
=DKoJ
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------

Ob Noxious

2016-09-30 01:05:47 UTC

Permalink

Post by Ob Noxious
So I wonder: What's the real difference between "ipset" and

Post by Ob Noxious
"ipset-only"?
I mean, I fail to see how to populate the "dynamic" chain when
using either of these options so in what do they differ?

You populate the dynamic chain with the 'drop', 'reject', 'logdrop'
and 'logreject' commands.

Thank you very much! Crystal clear now :)

--
ObNox

Continue reading on narkive:

Search results for '[Shorewall-users] Clarification on using blacklist' (Questions and Answers)

replies

bank harassing me over debt and threatning urther charges?

started 2007-08-21 08:12:01 UTC

credit

replies

if you can't sue the military, what's the next best option?

started 2013-05-07 23:59:16 UTC