[Shorewall-users] Why "Shorewall show bl" doesn't give the same result depends of shorewall version ?

Thu, 29 Apr 2021 02:13:39 -0700 

Hi everybody,

I have 2 linux servers with 2 installed shorewall.
One shorewall is 4.6.4.3 version (Jessie Debian) and the other installation
is in 5.2.3.4 version (Ubuntu 20.04 LTS).
Shorewall is ok and running on each server :)

I enabled 'BLACKLIST' feature in "blrules" file with an IPSET containing
subnets that I want to blacklist...I exactly have the exactly same
configuration in "blrules" file on each shorewall installation.
BLACKLIST            net:+ MYIPSET1        all

BLACKLIST            net:+ MYIPSET2        all
BLACKLIST            net:+ MYIPSET3        all
BLACKLIST            net:+ MYIPSET4        all

=> On 4.6.4.3, when I enter "shorewall show bl" I got an answer with many
lines :
shorewall show bl
Shorewall 4.6.4.3 blacklist chains at zeus.sonixtra.net - jeudi 29 avril
2021, 10:42:07 (UTC+0200)
Chain dynamic (1 references)
 pkts bytes target     prot opt in     out     source
destination
Chain net-fw~ (1 references)
 pkts bytes target     prot opt in     out     source
destination
  620 32800 blacklog   all  --  *      *       0.0.0.0/0
0.0.0.0/0            match-set MYIPSET1 src /* BLACKLIST */
  155  7526 blacklog   all  --  *      *       0.0.0.0/0
0.0.0.0/0            match-set MYIPSET2 src /* BLACKLIST */
    0     0 blacklog   all  --  *      *       0.0.0.0/0
0.0.0.0/0            match-set  MYIPSET3  src /* BLACKLIST */
    0     0 blacklog   all  --  *      *       0.0.0.0/0
0.0.0.0/0            match-set  MYIPSET4 src /* BLACKLIST */

=> On 5.2.3.4, when I enter "shorewall show bl" I got an empty answer :
 shorewall show bl
Shorewall 5.2.3.4 blacklist chains at Stamina-Filer - jeu. 29 avril 2021
11:03:36 CEST
Chain dynamic (4 references)
 pkts bytes target     prot opt in     out     source
destination

=> So, if I check in IPTABLES, I got these lines for 4.6.4.3 version :
iptables -L -v | grep blacklog
Chain blacklog (4 references)
  892 47437 blacklog   all  --  any    any     anywhere
anywhere             match-set MYIPSET1 src /* BLACKLIST */
  207 10010 blacklog   all  --  any    any     anywhere
anywhere             match-set MYIPSET2 src /* BLACKLIST */
    0     0 blacklog   all  --  any    any     anywhere
anywhere             match-set MYIPSET3 src /* BLACKLIST */
    0     0 blacklog   all  --  any    any     anywhere
anywhere             match-set MYIPSET4 src /* BLACKLIST */

=> And for 5.2.3.4 version :
iptables -L -v | grep blacklog
Chain blacklog (4 references)
    0     0 blacklog   all  --  any    any     anywhere
anywhere            [goto]  match-set MYIPSET1 src
    0     0 blacklog   all  --  any    any     anywhere
anywhere            [goto]  match-set MYIPSET2 src
    0     0 blacklog   all  --  any    any     anywhere
anywhere            [goto]  match-set MYIPSET3 src
    0     0 blacklog   all  --  any    any     anywhere
anywhere            [goto]  match-set MYIPSET4 src

===> So, everything is not as really empty as shown in "shorewall show bl"
...
So, My question is : Why "Shorewall show bl" doesn't give the same result
depends of shorewall version ?

Thanks for your help
Regards :)
Oliver

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to