On 15/06/13 18:12, Brian Burch wrote: > On 15/06/13 15:13, Tom Eastep wrote: <snip/> >> On 06/15/2013 03:09 AM, Brian Burch wrote: >> >> If you simply take my suggestion to use ipsets, host and network >> blacklisting takes exactly two entries in blrules: >> >> DROP net:+blacklisthosts all >> DROP net:+blacklistnets all >> >> When you want to blacklist a single host, you add it to the >> blacklisthosts ipset; when you want to blacklist an entire network, you >> add it to blacklistnets. Two entries are required because the ipset >> facility doesn't support a set type that can record both networks and >> single hosts. > > That sounds exactly what I wanted to do. I didn't stumble over the > subject when reading the shorewall documentation and I've obviously let > my iptables knowledge get out of date. > > I have to install the three ubuntu xtables-addons packages, and probably > a newer version of shorewall because the capabilities subcommand is not > recognised on my system. I'll probably go quiet for a several days!
I have not made much progress. I have ubuntu 12.10 quantal on this machine and the xtables-addons-dkms package will not install. I discovered this is a manifestation of an old problem: in my case the dkms source will not compile using the header files from the 3.5.0 kernel line. A fix has just been release for the 13.04 raring kernels, but it fails to apply against my older kernel. The various workarounds fail too. If anyone is interested, take a look at https://bugs.launchpad.net/bugs/1062256 I am not prepared to risk destabilising my production system and so I will adopt Tom's "plan B". ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
