On 9/27/2014 9:22 AM, PGNd wrote: > I've not (yet) used SAVE_IPSET. > > External init/mgmt/etc of IPv4 & IPv6 IPSETs is yet another one of > the pre-shorewall legacy functions I'd carried over and stuffed into > lib.private (one of the many advantages of having external `run` support > for lib.private functions), and still haven't gotten around to properly > integrating :-/ > > I've now read @ > > Shorewall6 and Shorewall-init Support for Ipsets > http://shorewall.net/ipsets.html > > Since I do, now, > > - use shorewall-init > - have both IPv4 & IPv6 IPSETs > > AND > > - currently use these DIY'd 'fast_drop' scripts for dynamic > blacklisting outside of SW > > 'piggybacking' DYNAMIC_BLACKLIST saving in/on-to SAVE_IPSET sounds > like a good solution that leverages what's already there. >
Good
> Couple of questions:
>
> For efficiency's sake, I manage dual IPSET hash forms -- a hash:ip &
> a hash:net -- conditionally adding the drop target to one, or the other,
> based on the target's CIDR; The former for CIDR = /32, and the latter
> for CIDR = /1 - /31.
>
> In the dynamic blacklist management/saving specifically, and SAVE_IPSET mgmt
> in general, (how) do you differentiate between single addresses and ranges?
I think you are misunderstanding SAVE_IPSETS. That facility uses the
ipset -S command to safe the contents of the ipsets in a text file and
reloads them from a text file.
>
> Also, since I'm using IPv4 *AND* IPv6, IIUC, that mandates
>
> /shorewall.conf
> SAVE_IPSETS=No
>
> /shorewall6.conf
> SAVE_IPSETS=No
>
> /etc/sysconfig/shorewall-init
> SAVE_IPSETS=Yes
>
> (How) Does that effect SW command/usage for `drop`? Is it still separate,
> i.e.,
>
> shorewall(-lite) drop 1.2.3.4
> shorewall(-lite) drop 1.2.3.0/17
> shorewall6(-lite) drop 2001:aaaa:...::1
> shorewall6(-lite) drop 2001:aaaa:...::/48
>
I'm going to have to give that some thought, because there are actually
four commands:
drop
logdrop
reject
logreject
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
