[Shorewall-users] Blacklisting, Round #2

Tom Eastep teastep@shorewall.net
Mon, 7 Jan 2002 17:34:32 -0800

I've done some experimentation with the technique that I proposed earlier=
While it certainly works, it exposes a weakness in Shorewall in that zone=
with a large number of explicitly-specified hosts result in the INPUT,=20
multi2fw and FORWARD chains being very long :-(

While this is a problem that I would like to correct, it probably won't=20
happen until 1.3 at the earliest since it will require a fundimental=20
rethinking of the iptables structure. So I've relented on the question of=
explicit Blacklist support in Shorewall which I prpopse to release as fol=

In /etc/shorewall/shorewall.conf:


=09Specifies how you want blacklisted hosts treated.


=09Specifies the level (if any) that you want blacklisted packets logged =
=09Beware potential DOS attacks if you set this.

In /etc/shorewall/interfaces=09

=09A new 'blacklist' option which causes packets arriving on this interfa=
ce to
 =09be checked against the black list


=09A list of hosts/subnets that you want to black list


Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net