On 2/12/19 2:39 AM, subscription2 via Shorewall-users wrote: > I'm running Shorewall V 5.1.12.2 on the latest Ubuntu LTS version > > sudo ip addr show > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN > group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel > state UP group default qlen 1000 > link/ether 00:50:56:3d:9b:af brd ff:ff:ff:ff:ff:ff > inet 173.212.231.229/24 brd 173.212.231.255 scope global ens18 > valid_lft forever preferred_lft forever > inet6 fe80::250:56ff:fe3d:9baf/64 scope link > valid_lft forever preferred_lft forever > > > ip route show > default via 173.212.231.1 dev ens18 proto static > 173.212.231.0/24 dev ens18 proto kernel scope link src 173.212.231.229 > > > I'm trying to follow this guide > https://linux.die.net/man/5/shorewall-blrules and have a few questions.
That site seems to have quite old versions of the manpages. I recommend that you use the official Shorewall mirror closest to you (see http://www.shorewall.org/shorewall_mirrors.htm). > > 1) Setting BLACKLISTNEWONLY causes the following error when reloading. > > sudo shorewall refresh > Compiling using Shorewall 5.1.12.2... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > ERROR: The BLACKLISTNEWONLY configuration option has been superceded > - please run 'shorewall update' /etc/shorewall/shorewall.conf (line 288) > > Running 'shorewall update' removes this setting > > 2) The rule in my blrules files with a BLACKLIST="NEW,INVALID,UNTRACKED" > setting doesn't seem to apply (i.e. connections from this IP address are > still getting through > > DROP net:185.211.245.170 all > Try 'shorewall reload' rather than 'shorewall refresh' (note that support for 'refresh' has been removed in Shorewall 5.2). If connections from that IP are still not being dropped, then install the 'conntrack' package and use this command: conntrack -D -s 185.211.245.170 If connections are still getting through, then please forward the output of 'shorewall dump' as an attachment (you may send it directly to me). Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
