On 9/27/2014 11:25 AM, PGNd wrote:
> On Sat, Sep 27, 2014, at 11:02 AM, Tom Eastep wrote:
>>> In the dynamic blacklist management/saving specifically, and SAVE_IPSET
>>> mgmt in general, (how) do you differentiate between single addresses and
>>> ranges?
>>
>> I think you are misunderstanding SAVE_IPSETS. That facility uses the
>> ipset -S command to safe the contents of the ipsets in a text file and
>> reloads them from a text file.
>
> ah, "-S". Ok.
>
> That, then, still leaves my subsequent musings about redundancy and saving
> only specific IPSETs ...
>
>> I'm going to have to give that some thought, because there are actually
>> four commands:
>>
>> drop
>> logdrop
>> reject
>> logreject
>
> IIUC, those commands are ONLY used in the context of DYNAMIC_BLACKLISTING, is
> that correct?
>
> If so, if I were doing this from scratch, I'd bundle it all within a single
> context:
>
> shorewall[6][-lite] blacklist {drop,reject,remove} [log]
>
> e.g.
>
> shorewall-lite blacklist drop log X.X.X.X/NN
>
> or
>
> shorewall6-lite blacklist reject XXXX:XXXX::
>
> etc
>
> then perl-parsing the IP 4/6 target addresses for CIDR = /32 or (null), or
> CIDR = /1 - /31, and writing to apprproriate hash:ip or hash:net IPSETs,
> which could subsequent be stored persistently if DYNAMIC_BLACKLIST = ipset.
>
> the additional 'remove' action could be used to (wildcard?) search & match
> the existing entries in DYNAMIC_BLACKLIST's IPSET and remove them ...
Looking further, if DYNAMIC_BLACKLIST=Yes, the contents of the dynamic
blacklist *do* survive stop/start:
root@gateway:~# shorewall show dynamic
Shorewall 4.6.4-Beta2 Chain dynamic at gateway - Sat Sep 27 13:19:48 PDT
2014
Counters reset Sat Sep 27 13:19:47 PDT 2014
Chain dynamic (16 references)
pkts bytes target prot opt in out source
destination
0 0 logdrop all -- * * 1.2.3.4
0.0.0.0/0
0 0 DROP all -- * * 3.4.5.6
0.0.0.0/0
root@gateway:~# shorewall stop
Stopping Shorewall....
Processing /etc/shorewall-common/tcclear ...
Running /usr/local/sbin/iptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
done.
root@gateway:~# shorewall start
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall-common/tcclear ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up log backend
Setting up Proxy ARP...
Adding Providers...
Null Routing the RFC 1918 subnets
Preparing iptables-restore input...
Running /usr/local/sbin/iptables-restore...
Preparing arptables-restore input...
Running /sbin/arptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/started ...
done.
root@gateway:~# shorewall show dynamic
Shorewall 4.6.4-Beta2 Chain dynamic at gateway - Sat Sep 27 13:23:24 PDT
2014
Counters reset Sat Sep 27 13:23:21 PDT 2014
Chain dynamic (16 references)
pkts bytes target prot opt in out source
destination
0 0 logdrop all -- * * 1.2.3.4
0.0.0.0/0
0 0 DROP all -- * * 3.4.5.6
0.0.0.0/0
root@gateway:~#
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
