On Sat, Sep 27, 2014, at 08:04 AM, Tom Eastep wrote:
> default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes', 'ipset';
>
> The loading of the chains during 'start', and saving them during 'stop'
> can be piggybacked onto the SAVE_IPSETS option.
>
> Does that sound reasonable?
I've not (yet) used SAVE_IPSET.
External init/mgmt/etc of IPv4 & IPv6 IPSETs is yet another one of the
pre-shorewall legacy functions I'd carried over and stuffed into lib.private
(one of the many advantages of having external `run` support for lib.private
functions), and still haven't gotten around to properly integrating :-/
I've now read @
Shorewall6 and Shorewall-init Support for Ipsets
http://shorewall.net/ipsets.html
"...
Unlike iptables, which has separate configurations for IPv4 and
IPv6, ipset has a single configuration that handles both. This means the
SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf won't work correctly
because . To work around this issue, Shorewall-init is now capable restoring
ipset contents during 'start' and saving them during 'stop'.
..."
Since I do, now,
- use shorewall-init
- have both IPv4 & IPv6 IPSETs
AND
- currently use these DIY'd 'fast_drop' scripts for dynamic
blacklisting outside of SW
'piggybacking' DYNAMIC_BLACKLIST saving in/on-to SAVE_IPSET sounds like a good
solution that leverages what's already there.
Couple of questions:
For efficiency's sake, I manage dual IPSET hash forms -- a hash:ip & a hash:net
-- conditionally adding the drop target to one, or the other, based on the
target's CIDR; The former for CIDR = /32, and the latter for CIDR = /1 - /31.
In the dynamic blacklist management/saving specifically, and SAVE_IPSET mgmt in
general, (how) do you differentiate between single addresses and ranges?
Also, since I'm using IPv4 *AND* IPv6, IIUC, that mandates
/shorewall.conf
SAVE_IPSETS=No
/shorewall6.conf
SAVE_IPSETS=No
/etc/sysconfig/shorewall-init
SAVE_IPSETS=Yes
(How) Does that effect SW command/usage for `drop`? Is it still separate, i.e.,
shorewall(-lite) drop 1.2.3.4
shorewall(-lite) drop 1.2.3.0/17
shorewall6(-lite) drop 2001:aaaa:...::1
shorewall6(-lite) drop 2001:aaaa:...::/48
?
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
