[Shorewall-users] Blacklisting, Round #2
Tue, 8 Jan 2002 08:33:02 +0100 (CET)
On Mon, 7 Jan 2002, Tom Eastep wrote:
> I've done some experimentation with the technique that I proposed earlier.
> While it certainly works, it exposes a weakness in Shorewall in that zones
> with a large number of explicitly-specified hosts result in the INPUT,
> multi2fw and FORWARD chains being very long :-(
And this is bad? For speed?
> While this is a problem that I would like to correct, it probably won't
> happen until 1.3 at the earliest since it will require a fundimental
> rethinking of the iptables structure. So I've relented on the question of
> explicit Blacklist support in Shorewall which I prpopse to release as follows:
> In /etc/shorewall/shorewall.conf:
> Specifies how you want blacklisted hosts treated.
> BLACKLIST_LOGLEVEL=[ <level> ]
> Specifies the level (if any) that you want blacklisted packets logged at.
> Beware potential DOS attacks if you set this.
> In /etc/shorewall/interfaces
> A new 'blacklist' option which causes packets arriving on this interface to
> be checked against the black list
> A list of hosts/subnets that you want to black list
Am i correct if the blacklisted hosts are now just all on one seperate
chain, and not the INPUT and FORWARD chains anymore?
Pas op de muonen!