Discussion:
[Shorewall-users] Blacklist from command line
Ob Noxious
2016-06-05 00:31:44 UTC
Permalink
Hi,

I wonder if I'm doing something wrong because I really can't figure out the
reason preventing Shorewall from being able to blacklist from the command
line

Shell# shorewall blacklist 1.2.3.4
ERROR: The blacklist command is not supported in the current Shorewall
configuration

If I repeat the operation (and again and again...), I get the same message
with an additional warning : (obviously, the PID changes every time)
WARNING: Stale lockfile /var/lib/shorewall/lock from pid 1191 removed
ERROR: The blacklist command is not supported in the current Shorewall
configuration

/etc/shorewall/shorewall.conf looks like this: (basically default settings
with few tweaks)

STARTUP_ENABLED=Yes
VERBOSITY=0
LOG_VERBOSITY=0
LOGLIMIT=2/sec
LOGFILE=/var/log/firewall.log
LOGTAGONLY=Yes
LOG_MARTIANS=Keep
MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
INVALID_LOG_LEVEL=info:,Invalid
IP_FORWARDING=Yes
SHOREWALL_SHELL=/bin/sh
ADD_IP_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTOHELPERS=No
CHAIN_SCRIPTS=No
DISABLE_IPV6=Yes
EXPAND_POLICIES=Yes
HELPERS=none
LOAD_HELPERS_ONLY=Yes
MARK_IN_FORWARD_CHAIN=Yes
MUTEX_TIMEOUT=30
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=Yes
ROUTE_FILTER=Yes

What am I missing?

Of course, using "blrules" file poses no problem and there are 2~3 entries
there.

--
ObNox
Tom Eastep
2016-06-05 14:04:29 UTC
Permalink
On 06/04/2016 05:31 PM, Ob Noxious wrote:
> Hi,
>
> I wonder if I'm doing something wrong because I really can't figure out
> the reason preventing Shorewall from being able to blacklist from the
> command line
>
> Shell# shorewall blacklist 1.2.3.4
> ERROR: The blacklist command is not supported in the current
> Shorewall configuration
>
> If I repeat the operation (and again and again...), I get the same
> message with an additional warning : (obviously, the PID changes every time)
> WARNING: Stale lockfile /var/lib/shorewall/lock from pid 1191 removed
> ERROR: The blacklist command is not supported in the current
> Shorewall configuration
>
> /etc/shorewall/shorewall.conf looks like this: (basically default
> settings with few tweaks)
>
> STARTUP_ENABLED=Yes
> VERBOSITY=0
> LOG_VERBOSITY=0
> LOGLIMIT=2/sec
> LOGFILE=/var/log/firewall.log
> LOGTAGONLY=Yes
> LOG_MARTIANS=Keep
> MACLIST_LOG_LEVEL=info
> RELATED_LOG_LEVEL=info
> SMURF_LOG_LEVEL=info
> TCP_FLAGS_LOG_LEVEL=info
> INVALID_LOG_LEVEL=info:,Invalid
> IP_FORWARDING=Yes
> SHOREWALL_SHELL=/bin/sh
> ADD_IP_ALIASES=No
> ADMINISABSENTMINDED=Yes
> AUTOHELPERS=No
> CHAIN_SCRIPTS=No
> DISABLE_IPV6=Yes
> EXPAND_POLICIES=Yes
> HELPERS=none
> LOAD_HELPERS_ONLY=Yes
> MARK_IN_FORWARD_CHAIN=Yes
> MUTEX_TIMEOUT=30
> OPTIMIZE=All
> OPTIMIZE_ACCOUNTING=Yes
> ROUTE_FILTER=Yes
>
> What am I missing?
>

You are missing a great many settings in shorewall.conf - in this case,
DYNAMIC_BLACKLIST=ipset will allow dynamic blacklisting (as is
documented in shorewall(8)).

If the above is truely what your shorewall.conf looks like, I suggest
'shorewall update' to populate the file fully.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Ob Noxious
2016-06-06 03:53:33 UTC
Permalink
On Sun, Jun 5, 2016 at 4:04 PM, Tom Eastep <***@shorewall.net> wrote:

You are missing a great many settings in shorewall.conf - in this case,
> DYNAMIC_BLACKLIST=ipset will allow dynamic blacklisting (as is
> documented in shorewall(8)).
>

Ok I'll look into that. Thanks


> If the above is truely what your shorewall.conf looks like, I suggest
> 'shorewall update' to populate the file fully.
>

I'm a bit confused here. Reading through "shorewall.conf.annotated", quite
all settings mention the following statement "If not specified, then XXX is
assumed." which is the reason why my "shorewall.conf" is only using
settings I need to be different from default or I may have to change from
time to time for specific situations.

This leads me to a nice and easily readable 45 lines "shorewall.conf"
including few comments instead of a 245 lines full blown and less easy to
read configuration file.

Are you saying that all settings must be specified in shorewall.conf no
matter what?


--
ObNox
Matt Darfeuille
2016-06-06 17:24:00 UTC
Permalink
On 6 Jun 2016 at 5:53, Ob Noxious wrote:

>
> On Sun, Jun 5, 2016 at 4:04 PM, Tom Eastep <***@shorewall.net>
> wrote:
>
> You are missing a great many settings in shorewall.conf - in this
> case,
> DYNAMIC_BLACKLIST=ipset will allow dynamic blacklisting (as is
> documented in shorewall(8)).
>
> Ok I'll look into that. Thanks
>  
> If the above is truely what your shorewall.conf looks like, I suggest
> 'shorewall update' to populate the file fully.
>
> I'm a bit confused here. Reading through "shorewall.conf.annotated",
> quite all settings mention the following statement "If not specified,
> then XXX is assumed." which is the reason why my "shorewall.conf" is
> only using settings I need to be different from default or I may have
> to change from time to time for specific situations.
>
> This leads me to a nice and easily readable 45 lines "shorewall.conf"
> including few comments instead of a 245 lines full blown and less
> easy to read configuration file.
>
> Are you saying that all settings must be specified in shorewall.conf
> no matter what?
>

Yes -- All variables need to be in shorewall.conf but you don't need
to specify a value after the equals sign(not specified = if a value
is not specified, then the default value of ... is assumed).

-Matt
Tom Eastep
2016-06-06 19:42:46 UTC
Permalink
On 06/06/2016 10:24 AM, Matt Darfeuille wrote:
> On 6 Jun 2016 at 5:53, Ob Noxious wrote:
>
>>
>> On Sun, Jun 5, 2016 at 4:04 PM, Tom Eastep <***@shorewall.net>
>> wrote:
>>
>> You are missing a great many settings in shorewall.conf - in this
>> case,
>> DYNAMIC_BLACKLIST=ipset will allow dynamic blacklisting (as is
>> documented in shorewall(8)).
>>
>> Ok I'll look into that. Thanks
>>
>> If the above is truely what your shorewall.conf looks like, I suggest
>> 'shorewall update' to populate the file fully.
>>
>> I'm a bit confused here. Reading through "shorewall.conf.annotated",
>> quite all settings mention the following statement "If not specified,
>> then XXX is assumed." which is the reason why my "shorewall.conf" is
>> only using settings I need to be different from default or I may have
>> to change from time to time for specific situations.
>>
>> This leads me to a nice and easily readable 45 lines "shorewall.conf"
>> including few comments instead of a 245 lines full blown and less
>> easy to read configuration file.
>>
>> Are you saying that all settings must be specified in shorewall.conf
>> no matter what?
>>
>
> Yes -- All variables need to be in shorewall.conf but you don't need
> to specify a value after the equals sign(not specified = if a value
> is not specified, then the default value of ... is assumed).
>

Actually, it isn't necessary to list options that you don't set. The
compiler will assign default values to those that don't appear in the file.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Ob Noxious
2016-06-09 03:55:43 UTC
Permalink
On Mon, Jun 6, 2016 at 9:42 PM, Tom Eastep <***@shorewall.net> wrote:

> Yes -- All variables need to be in shorewall.conf but you don't need
> > to specify a value after the equals sign(not specified = if a value
> > is not specified, then the default value of ... is assumed).
> >
>
> Actually, it isn't necessary to list options that you don't set. The
> compiler will assign default values to those that don't appear in the file.
>

So, actually, I'm not "[...] missing a great many settings in
shorewall.conf" as stated before right? As long as I'm aware that I must
check the changelog and/or shorewall.conf upon every version update to see
if the "default" value for a new settings suits my needs.

Ok, now, that's clarified, I made a new attempt but I'm having a
not-so-good experience with blacklisting... I'm using Shorewall 5.0.8

Scenario 1 : "DYNAMIC_BLACKLIST=ipset" in "shorewall.conf" :

Shell# shorewall restart
Compiling using Shorewall 5.0.8...
Use of uninitialized value $rawlevel in uc at
/usr/share/shorewall/Shorewall/Config.pm line 3824.
Resetting....
Shorewall configuration compiled to /var/lib/shorewall/.restart
Reloading Shorewall....done.

Shell# shorewall reload
Compiling using Shorewall 5.0.8...
Use of uninitialized value $rawlevel in uc at
/usr/share/shorewall/Shorewall/Config.pm line 3824.
Resetting....
Shorewall configuration compiled to /var/lib/shorewall/.reload
Reloading Shorewall....done.

Shell# shorewall blacklist 1.2.3.4
<no_output>

Shell# shorewall show bl
Shorewall 5.0.8 blacklist chains at orthanc - jeudi 9 juin 2016, 05:49:13
(UTC+0200)

Dynamic:
1.2.3.4 timeout 0 packets 0 bytes 0

Chain dynamic (10 references)
pkts bytes target prot opt in out source
destination

Seems good. Now, how to remove the entry?

Shell# shorewall allow 1.2.3.4
1.2.3.4 Not Dropped or Rejected

I can only remove the entry with "ipset del SW_DBL4 1.2.3.4" which is not
that convenient.

I've read http://shorewall.net/blacklisting_support.htm and it seems to
focus on "DYNAMIC_BLACKLIST=Yes" rather than "ipset"

What is the proper (and possibly friendly) way of using dynamic
blacklisting in Shorewall?

Thanks.

--
ObNox
Tom Eastep
2016-06-09 13:25:05 UTC
Permalink
On 06/08/2016 08:55 PM, Ob Noxious wrote:
> On Mon, Jun 6, 2016 at 9:42 PM, Tom Eastep <***@shorewall.net
> <mailto:***@shorewall.net>> wrote:
>
> > Yes -- All variables need to be in shorewall.conf but you don't need
> > to specify a value after the equals sign(not specified = if a value
> > is not specified, then the default value of ... is assumed).
> >
>
> Actually, it isn't necessary to list options that you don't set. The
> compiler will assign default values to those that don't appear in
> the file.
>
>
> So, actually, I'm not "[...] missing a great many settings in
> shorewall.conf" as stated before right? As long as I'm aware that I must
> check the changelog and/or shorewall.conf upon every version update to
> see if the "default" value for a new settings suits my needs.
>
> Ok, now, that's clarified, I made a new attempt but I'm having a
> not-so-good experience with blacklisting... I'm using Shorewall 5.0.8
>
> Scenario 1 : "DYNAMIC_BLACKLIST=ipset" in "shorewall.conf" :
>
> Shell# shorewall restart
> Compiling using Shorewall 5.0.8...
> Use of uninitialized value $rawlevel in uc at
> /usr/share/shorewall/Shorewall/Config.pm line 3824.
> Resetting....
> Shorewall configuration compiled to /var/lib/shorewall/.restart
> Reloading Shorewall....done.
>
> Shell# shorewall reload
> Compiling using Shorewall 5.0.8...
> Use of uninitialized value $rawlevel in uc at
> /usr/share/shorewall/Shorewall/Config.pm line 3824.
> Resetting....
> Shorewall configuration compiled to /var/lib/shorewall/.reload
> Reloading Shorewall....done.
>
> Shell# shorewall blacklist 1.2.3.4
> <no_output>
>
> Shell# shorewall show bl
> Shorewall 5.0.8 blacklist chains at orthanc - jeudi 9 juin 2016,
> 05:49:13 (UTC+0200)
>
> Dynamic:
> 1.2.3.4 timeout 0 packets 0 bytes 0
>
> Chain dynamic (10 references)
> pkts bytes target prot opt in out source
> destination
>
> Seems good. Now, how to remove the entry?
>
> Shell# shorewall allow 1.2.3.4
> 1.2.3.4 Not Dropped or Rejected
>
> I can only remove the entry with "ipset del SW_DBL4 1.2.3.4" which is
> not that convenient.
>
> I've read http://shorewall.net/blacklisting_support.htm and it seems to
> focus on "DYNAMIC_BLACKLIST=Yes" rather than "ipset"
>
> What is the proper (and possibly friendly) way of using dynamic
> blacklisting in Shorewall?
>

Shorewall does not currently provide a means for removing an address
from the ipset-based blacklist.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Loading...