On 9/26/2014 5:11 PM, PGNd wrote:
>
>
> On Fri, Sep 26, 2014, at 02:28 PM, Tom Eastep wrote:
>> It is preserved over neither system reboots nor 'shorewall stop;
>> shorewall start'. During restart, its contents are stored in
>> ${VARDIR}/.dynamic
>
> 'Bitten' again by restart != start + stop. Need to remember that.
>
> I find persist-to-ipset frequently/very useful. Pre-shorewall, I used a
> kludgy perl script to fast-add add'ys to IPSETS,
>
> cat fast_drop.pl
> #!/usr/bin/perl
>
> use strict;
> use warnings;
>
> use Archive::Extract;
> use Archive::Zip;
> use File::Basename;
> use File::Copy;
> use File::Path;
> use LWP::Simple qw(mirror RC_OK RC_NOT_MODIFIED);
>
> my $BAD_IP = $ARGV[0];
> my $IPSET = '/usr/sbin/ipset';
> my $setname_ip = "FAST_DROP_IP";
> my $setname_net = "FAST_DROP_NET";
> print "Dropping $BAD_IP NOW!!\n";
> my($QUARTET, $CIDR) = split '/', $BAD_IP;
> $CIDR //= 32;
> if ( $CIDR >= 1 && $CIDR <= 31 ) {
> system("$IPSET add $setname_net $QUARTET/$CIDR");
> } elsif ( $CIDR == 32 ) {
> system("$IPSET add $setname_ip $QUARTET");
> }
>
> system("$IPSET list $setname_ip");
> system("$IPSET list $setname_net");
>
> Then, of course, I'd act on those IPSETs in my rulesets.
>
> Any interest in implementing option persist-dynamic-blacklist-to-IPSET in SW?
>
> If so, can work on it here; if not, nbd -- I'll put it in a lib.private
> function ...
Thanks for the offer. Given that we already have the DYNAMIC_BLACKLIST
configuration option (yes/no), I think I would like to extend that
option by allowing yes/no/ipset as possible values.
In the master git branch, the function default_yes_no() has been
extended to allow an alternative option to be specified as in:
default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes', 'ipset';
The loading of the chains during 'start', and saving them during 'stop'
can be piggybacked onto the SAVE_IPSETS option.
Does that sound reasonable?
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
