Hi, I've been blacklisting hosts that try to access unpublished ports by simply adding the following to the very end of my rules file:
ADD(POL_BL:src):info:polbl,add2polbl net1,net2,net3:!+POL_BL,+GLOBAL_WL all tcp,udp - !443,80,25 I'd rather not use the BLACKLIST policy and defining an ipset in DYNAMIC_BLACKLIST because I may have more than one ADD rule with different ipsets and parameters. So I like the ADD rule I mentioned above except that if I remove the trailing "tcp,udp - !443,80,25" then I get unwanted results such as: Shorewall:polbl:add2polbl:IN=enp9s6 [...] PROTO=TCP SPT=443 DPT=33046 WINDOW=249 RES=0x00 ACK PSH URGP=0 MARK=0x3 Shorewall:polbl:add2polbl:IN=enp9s5 [...] PROTO=TCP SPT=443 DPT=53763 WINDOW=252 RES=0x00 ACK URGP=0 MARK=0x2 Shorewall:polbl:add2polbl:IN=enp9s5 [...] PROTO=TCP SPT=443 DPT=43729 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x2 Shorewall:polbl:add2polbl:IN=enp9s4 [...] PROTO=TCP SPT=25 DPT=42208 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x1 I need to allow ACK and RST packets. Is there a better way to write this (instead of explicitly specifying "!443,80,25")? Thanks, Vieri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
