On 8/22/2013 9:06 PM, Mark D. Montgomery II wrote: > I would like to add in a blacklist from lists of known bad IPs/Domains > (scammers/spammers/phishers/etc.), but seem to be having some problems. > > I add the list into the /etc/shorewall/blacklist file and then either > restart or refresh shorewall, but it never finishes. > When I look at iptables while shorewall is starting I see a number of > rules added, but then I see a number of rules added for dropping from > the opendns fail servers (hit-nxdomain.opendns.com and > hit-servfail.opendns.com). > I assume these are from it doing lookups on domains that are no longer > there since the list was compiled, so it ends up adding rules blocking > those, which then seems to halt the list processing shortly thereafter.FA
Placing DNS names in the Shorewall config files is a really bad idea. See http://www.shorewall.net/co.nfiguration_file_basics.htm#dnsnames > > I tried adding ACCEPT rules in for the ip ranges and domain names for > the opendns servers but it didn't make a difference (apparently the > blacklist processing overrides the rules in the rules file?). Yes. > > Is there anything I can do short of pre-processing the lists to filter > out the no-longer-there domains? My advice is to not use Shorewall to filter by DNS name. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
