[Shorewall-users] Blacklisting, Round #2

Tom Eastep teastep@shorewall.net
Mon, 7 Jan 2002 17:34:32 -0800


I've done some experimentation with the technique that I proposed earlier=
=2E=20
While it certainly works, it exposes a weakness in Shorewall in that zone=
s=20
with a large number of explicitly-specified hosts result in the INPUT,=20
multi2fw and FORWARD chains being very long :-(

While this is a problem that I would like to correct, it probably won't=20
happen until 1.3 at the earliest since it will require a fundimental=20
rethinking of the iptables structure. So I've relented on the question of=
=20
explicit Blacklist support in Shorewall which I prpopse to release as fol=
lows:

In /etc/shorewall/shorewall.conf:

=09BLACKLIST_DISPOSITION=3D{DROP|REJECT}

=09Specifies how you want blacklisted hosts treated.

=09BLACKLIST_LOGLEVEL=3D[ <level> ]

=09Specifies the level (if any) that you want blacklisted packets logged =
at.
=09Beware potential DOS attacks if you set this.

In /etc/shorewall/interfaces=09

=09A new 'blacklist' option which causes packets arriving on this interfa=
ce to
 =09be checked against the black list

/etc/shorewall/blacklist

=09A list of hosts/subnets that you want to black list

Comments?

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------