[Shorewall-users] Blacklisting, Round #2

Tom Eastep teastep@shorewall.net
Tue, 8 Jan 2002 06:04:32 -0800


On Monday 07 January 2002 11:33 pm, Pieter Ennes wrote:

> > with a large number of explicitly-specified hosts result in
> > the INPUT, multi2fw and FORWARD chains being very long :-(
>
> And this is bad? For speed?

Yes. Plus a lot of traffic that isn't involved with the internet interfac=
e=20
has to pass through those rules.

>
> Am i correct if the blacklisted hosts are now just all on one seperate
> chain, and not the INPUT and FORWARD chains anymore?

Yes -- here's what it looks like:

[root@gateway shorewall]# shorewall show INPUT
Shorewall-1.2.1 Chain INPUT at gateway.shorewall.net - Tue Jan  8 06:01:1=
9=20
PST 2002

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              =20
destination
    0     0 logpkt     all  --  eth0   *       0.0.0.0/0            0.0.0=
=2E0/0=20
         unclean
20056   13M rfc1918    all  --  eth0   *       0.0.0.0/0            0.0.0=
=2E0/0
20056   13M blacklst   all  --  eth0   *       0.0.0.0/0            0.0.0=
=2E0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0=
=2E0/0
    3  1232 ACCEPT     udp  --  eth2   *       0.0.0.0/0            0.0.0=
=2E0/0=20
         udp dpts:67:68
    0     0 multi2fw   all  --  ppp+   *       0.0.0.0/0            0.0.0=
=2E0/0
20053   13M net2fw     all  --  eth0   *       0.0.0.0/0            0.0.0=
=2E0/0
44348 2461K loc2fw     all  --  eth2   *       192.168.1.0/24       0.0.0=
=2E0/0
   15  2735 dmz2fw     all  --  eth1   *       0.0.0.0/0            0.0.0=
=2E0/0
  105  8820 tx2fw      all  --  texas  *       192.168.9.0/24       0.0.0=
=2E0/0
    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0=
=2E0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0=
=2E0/0=20
         LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0=
=2E0/0

[root@gateway shorewall]# shorewall show blacklst
Shorewall-1.2.1 Chain blacklst at gateway.shorewall.net - Tue Jan  8 06:0=
1:24=20
PST 2002

Chain blacklst (2 references)
 pkts bytes target     prot opt in     out     source              =20
destination
    0     0 DROP       all  --  *      *       62.64.157.230        0.0.0=
=2E0/0
   15   420 DROP       all  --  *      *       206.124.146.174      0.0.0=
=2E0/0
    0     0 DROP       all  --  *      *       208.13.134.210       0.0.0=
=2E0/0
    0     0 DROP       all  --  *      *       209.67.231.231       0.0.0=
=2E0/0
    0     0 DROP       all  --  *      *       213.68.102.251       0.0.0=
=2E0/0
[root@gateway shorewall]#

There's a similar entry in the FORWARD chain for eth0 (I won't show the w=
hole=20
chain):

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              =20
destination
    2   116 logpkt     all  --  eth0   *       0.0.0.0/0            0.0.0=
=2E0/0=20
         unclean
62167 5187K rfc1918    all  --  eth0   *       0.0.0.0/0            0.0.0=
=2E0/0
62167 5187K blacklst   all  --  eth0   *       0.0.0.0/0            0.0.0=
=2E0/0
 7571  580K net2loc    all  --  eth0   eth2    0.0.0.0/0           =20
192.168.1.0/24
=2E..

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------