SHOREWALL6-BLACKLIS(5) [FIXME: manual] SHOREWALL6-BLACKLIS(5)NAME
blacklist - shorewall6 Blacklist file
SYNOPSIS
/etc/shorewall6/blacklist
DESCRIPTION
The blacklist file is used to perform static blacklisting by source
address (IP or MAC), or by application. The use of this file is
deprecated in favor of shorewall6-blrules[1](5), and beginning with
Shorewall 4.5.7, the blacklist file is no longer installed. Existing
blacklist files can be converted to a corresponding blrules file using
the shorewall6 update -b command.
The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used
in the alternate specification syntax).
ADDRESS/SUBNET - {-|~mac-address|ip-address|address-range|+ipset}
Host address, network address, MAC address, IP address range (if
your kernel and ip6tables contain iprange match support) or ipset
name prefaced by "+" (if your kernel supports ipset match).
Exclusion (shorewall6-exclusion[2](5)) is supported.
MAC addresses must be prefixed with "~" and use "-" as a separator.
Example: ~00-A0-C9-15-39-78
A dash ("-") in this column means that any source address will
match. This is useful if you want to blacklist a particular
application using entries in the PROTOCOL and PORTS columns.
PROTOCOL (proto) - {-|protocol-number|protocol-name}
Optional - if specified, must be a protocol number or a protocol
name from protocols(5).
PORTS (port) - {-|port-name-or-number[,port-name-or-number]...}
May only be specified if the protocol is TCP (6), UDP (17), DCCP
(33), SCTP (132) or UDPLITE (136). A comma-separated list of
destination port numbers or service names from services(5).
OPTIONS - {-|{dst|src|whitelist|audit}[,...]}
Optional - added in 4.4.12. If specified, indicates whether traffic
from ADDRESS/SUBNET (src) or traffic to ADDRESS/SUBNET (dst) should
be blacklisted. The default is src. If the ADDRESS/SUBNET column is
empty, then this column has no effect on the generated rule.
Note
In Shorewall 4.4.12, the keywords from and to were used in
place of src and dst respectively. Blacklisting was still
restricted to traffic arriving on an interface that has the
'blacklist' option set. So to block traffic from your local
network to an internet host, you had to specify blacklist on
your internal interface in shorewall6-interfaces[3] (5).
Note
Beginning with Shorewall 4.4.13, entries are applied based on
the blacklist setting in shorewall6-zones[4](5):
1. 'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
from this zone is passed against the entries in this file
that have the src option (specified or defaulted).
2. 'blacklist' in the OPTIONS or OUT_OPTIONS column. Traffic
to this zone is passed against the entries in this file
that have the dst option.
In Shorewall 4.4.20, the whitelist option was added. When whitelist
is specified, packets/connections that match the entry are not
matched against the remaining entries in the file.
The audit option was also added in 4.4.20 and causes packets
matching the entry to be audited. The audit option may not be
specified in whitelist entries and require AUDIT_TARGET support in
the kernel and ip6tables.
When a packet arrives on an interface that has the blacklist option
specified in shorewall6-interfaces[5](5), its source IP address and MAC
address is checked against this file and disposed of according to the
BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
shorewall6.conf[6](5). If PROTOCOL or PROTOCOL and PORTS are supplied,
only packets matching the protocol (and one of the ports if PORTS
supplied) are blocked.
EXAMPLE
Example 1:
To block DNS queries from address fe80::2a0:ccff:fedb:31c4:
#ADDRESS/SUBNET PROTOCOL PORT
fe80::2a0:ccff:fedb:31c4/ udp 53
Example 2:
To block some of the nuisance applications:
#ADDRESS/SUBNET PROTOCOL PORT
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
FILES
/etc/shorewall6/blacklist
SEE ALSO
http://shorewall.net/blacklisting_support.htm
http://shorewall.net/configuration_file_basics.htm#Pairs
shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)NOTES
1. shorewall6-blrules
http://www.shorewall.net/manpages6/shorewall6-blrules.html
2. shorewall6-exclusion
http://www.shorewall.net/manpages6/shorewall6-exclusion.html
3. shorewall6-interfaces
http://www.shorewall.net/manpages6/shorewall6-interfaces.html
4. shorewall6-zones
http://www.shorewall.net/manpages6/shorewall-zones.html
5. shorewall6-interfaces
http://www.shorewall.net/manpages6/shorewall-interfaces.html
6. shorewall6.conf
http://www.shorewall.net/manpages6/shorewall.conf.html
[FIXME: source] 12/19/2013 SHOREWALL6-BLACKLIS(5)
