On 07/28/2018 07:05 AM, Vieri Di Paola via Shorewall-users wrote: > Hi, > > I've been blacklisting hosts that try to access unpublished ports by simply > adding the following to the very end of my rules file: > > ADD(POL_BL:src):info:polbl,add2polbl net1,net2,net3:!+POL_BL,+GLOBAL_WL > all tcp,udp - !443,80,25 > > I'd rather not use the BLACKLIST policy and defining an ipset in > DYNAMIC_BLACKLIST because I may have more than one ADD rule with different > ipsets and parameters. > > So I like the ADD rule I mentioned above except that if I remove the trailing > "tcp,udp - !443,80,25" then I get unwanted results such as: > > Shorewall:polbl:add2polbl:IN=enp9s6 [...] PROTO=TCP SPT=443 DPT=33046 > WINDOW=249 RES=0x00 ACK PSH URGP=0 MARK=0x3 > Shorewall:polbl:add2polbl:IN=enp9s5 [...] PROTO=TCP SPT=443 DPT=53763 > WINDOW=252 RES=0x00 ACK URGP=0 MARK=0x2 > Shorewall:polbl:add2polbl:IN=enp9s5 [...] PROTO=TCP SPT=443 DPT=43729 > WINDOW=0 RES=0x00 RST URGP=0 MARK=0x2 > Shorewall:polbl:add2polbl:IN=enp9s4 [...] PROTO=TCP SPT=25 DPT=42208 WINDOW=0 > RES=0x00 RST URGP=0 MARK=0x1 > > I need to allow ACK and RST packets. > > Is there a better way to write this (instead of explicitly specifying > "!443,80,25")? > No.
-Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
