-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/13/2017 01:35 AM, Vieri Di Paola via Shorewall-users wrote: > Hi, > > I'd like to know how to rewrite my custom Drop action for Shorewall > 5.1. > > My goal is to add the SRC IP address of a remote host that tries to > connect to an "unpublished"/unavailable port. To do that I created > a custom DROP action and included it at the very end of my rules > file. > > Custom action: > > # grep -v ^# /etc/shorewall/action.DROPBL | grep -v ^$ ?warning > "You are using the deprecated Drop default action. Please see > http://www.shorewall.net/Actions.html#Default"; ?if passed(@1) ?if > @1 eq 'audit' DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP ?else > ?error The first parameter to Drop must be 'audit' or '-' ?endif > ?else DEFAULTS -,-,DROP,ACCEPT,DROP,DROP ?endif COUNT ?if > passed(@2) Auth(@2) ?endif AllowICMPs(@4) - - icmp > Broadcast(DROP,@1) Multicast(DROP,@1) Invalid(DROP,@1) SMB(@3) > DropUPnP(@6) NotSyn(DROP,@1) - - tcp DropDNSrep(@5) > ADD(POL_BL:src) > > # grep DROP_DEFAULT /etc/shorewall/shorewall.conf > DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" > > # tail -n 1 /etc/shorewall/rules DROPBL:info:polbl net4 > all > > # grep ^net4 /etc/shorewall/policy net4 $FW > DROP net4 loc DROP net4 dmz > DROP net4 net3 DROP net4 net2 > DROP net4 net1 DROP net4 all > DROP > > First of all I was thinking of changing my rules file and replacing > this line: > > DROPBL:info:polbl net4 all > > with this other line: > > ADD(POL_BL:src):info:polbl net4 all > > Would I get the same behavior, considering that the default policy > is DROP? If that were the case I would not need to define the > DROPBL custom action. > > If not, how would I need to re-write my custom action? > > I tried the solution to replace DROPBL with ADD and got the > following results: > > # grep LOGTAGONLY /etc/shorewall/shorewall.conf LOGTAGONLY=Yes > > shorewall check shows: > > WARNING: Log Prefix shortened to "Shorewall:polbl:ADD(POL_BL:s " > > This is on a box with Shorewall 5.0.15.6. Despite the log tag issue > the rest seems to be working as expected. > > With shorewall 5.1.4.1 the log tag warning doesn't show up, but I'm > still in the process of moving to that version. >
Since Shorewall 5.1.1, using a hacked up Drop action is no longer the best way to accomplish what you are trying to do. The recommended way is to define the net4->* policies to be BLACKLIST, and set DYNAMIC_BLACKLIST to use the POL_BL ipset. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJZQqJ5AAoJEJbms/JCOk0QpyAQAJaItGP8be5x56uu5Dw60FYj tnRknV9sVP/Aoqzk7sHCIb3ZJ47w8ttXo5ANzTSAG5iXYAb9150i5lJAJmQYcJVs d0FdIAiVGvN2yuWRbtkO6RgyqP3GjDcLzgoZo5V/05jF9rYK5KCyjibsqrGgIvaj fGieDkz6Ac0zgUBw2n6uWfg7MNM1vWmsWegVj9S+OtdWvbA4PvJQUvLAf3U9y7ki pDBr18/WBzEABcEtraZ6aLtgN1EOUOOxoVDbD2GgmjJYtcqsutxRRw8I3BsraNnk KA6XzB3PzohAB0Wy9tU0C9Ujk/Tyac0sCmQnfcdx4OH4ftPPhYWFYhCJcqeoyx9b GzRfvmxeuh+vBbfeu4dMwic4nPlp7bNws9CnZjU+mbFcklon6f838aZb5L3OMs/5 3KpRknGV6+9y2QtgzvCN3whRyzkn5RoBkITp59gjK0rUU3XLsIhF1JGyw+nMpPvB QoCfIEDECBFRVoXLe8y2GLfw4NnfQmf+pxtp664/TbRuNa7/YtbXORE/4w4JTpjX B48s2H7yVOw22Dh3HMXycVKwpNLlc2ggpp6NnGQ6YrKMAXZIef6YaRAR9QjEEStr 44Ct76FaeMj/ITzYARB6FVk1D/Z3v58e/ilGNATnPJ6BAL7J55l+NjgyG1gIkweB Kij+LiPUCX2+OuH9Hpu4 =bGLW -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
