[Shorewall-users] Blacklisting, Round #2

Pieter Ennes pieter@bankastraat.dhs.org
Tue, 8 Jan 2002 08:33:02 +0100 (CET)


On Mon, 7 Jan 2002, Tom Eastep wrote:

Hi Tom,

> I've done some experimentation with the technique that I proposed earlier.
> While it certainly works, it exposes a weakness in Shorewall in that zones
> with a large number of explicitly-specified hosts result in the INPUT,
> multi2fw and FORWARD chains being very long :-(

And this is bad? For speed?

> While this is a problem that I would like to correct, it probably won't
> happen until 1.3 at the earliest since it will require a fundimental
> rethinking of the iptables structure. So I've relented on the question of
> explicit Blacklist support in Shorewall which I prpopse to release as follows:
>
> In /etc/shorewall/shorewall.conf:
>
> 	BLACKLIST_DISPOSITION={DROP|REJECT}
>
> 	Specifies how you want blacklisted hosts treated.
>
> 	BLACKLIST_LOGLEVEL=[ <level> ]
>
> 	Specifies the level (if any) that you want blacklisted packets logged at.
> 	Beware potential DOS attacks if you set this.
>
> In /etc/shorewall/interfaces
>
> 	A new 'blacklist' option which causes packets arriving on this interface to
>  	be checked against the black list
>
> /etc/shorewall/blacklist
>
> 	A list of hosts/subnets that you want to black list

Am i correct if the blacklisted hosts are now just all on one seperate
chain, and not the INPUT and FORWARD chains anymore?

Bye, Pieter.

-- 
 Pas op de muonen!