-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/25/2016 07:12 AM, Vieri Di Paola wrote: > Hi, > > Suppose I have rules such as: > > ACCEPT net $FW tcp 80,443 DNAT net loc:IP tcp 3389 [...etc...] > > I'd like to automatically/dynamically blacklist all IP addresses of > hosts that try to connect to any other unlisted port (eg. port tcp > 2222 or 1234, etc.). So if a host tries to connect to port tcp 1234 > (on which my site does not serve anything) I'd like the "net" SRC > address to be blacklisted "globally", ie. it should not be able to > connect to ANY port, not even those listed above (80,443,3389), for > at least 1 hour. > > I've read about shorewall events (BTW there's a missing ',-' in the > example 'AutoBL(SSH,-,-,-,REJECT,warn)') but I'm not sure if it > fits my needs. > > The following doesn't seem to do what I want: > > ACCEPT net $FW tcp 80,443 DNAT net loc:IP tcp 3389 [...etc...] > AutoBL(ABL,10,1,-,3600,REJECT,info) net $FW all > > Aren't the IP addresses in ABL_BL supposed to be REJECTed > regardless of where they're trying to connect to?
You don't want to use AutoBL in this way. AutoBL is is intended to be used to blacklist clients who make repeated attempts to connect to a service which they are allowed to use. The most common use case it to stop dictionary attacks. > > Maybe there's a simpler way to do this with Shorewall actions and > dynamic blacklisting? > Configure ipset-based dynamic blacklisting: DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info then put this at the bottom of your rules: ADD(SW_DBL4,src) net $FW - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYOxHhAAoJEJbms/JCOk0QPNYP/i1Qiai5HDWAdQPo6/Fs3en+ 9PvfopqJXNXB7ISb7IPaLiKWagDcOwir3pBeV6TQ9IowbRCD6p3D2zdpLXQtEqWR 6oU6FV8a2ifqaKv83j9tXediN1/dtWcoc1qbw1MUbuTEh7fbF5THElcqlU15TlZR 0JBKy3JMx4F5/Mg9c/ibvvS5zLPcT08N3Lji3QMMw3m12YP72XreXt8idgJ2fGGD /rwCHg6+TqVKLcQIvXKpF83mCcfq3+DHZe6IAJh/3pUKJpnyZvM7mIuIRMmnthPY hbznPzMEoQFto70oUtyZ7aasoCFhCrWQW4SsUeymMpYRSQFBsQqUiKZ2+hgUqRTv Ol4c+9197eerTPVJrjPVBK5iF48tNiMcI0GBrySZHOOgkfpRKXwCL/1HjuaPJ19b Q0mumAFL9ymtkEO3zZudZ9OoCYWhZwwg4oHGTGgHhXOUEjBv7BWG3RoopAMO93O4 6XKEF2cOHsZ4TlPRfKGvGGrpL00WK3txZuPOlYWw+6uMAS2wwjWdWPilh8B3EqgM 7ru2T1Sp861ec5tkrfx/ucrQWrC0o2KZQ65EtN+TF5+eBfQ1h5bNFDU+tlaczOdy EQMFwihBVYFnLktm4n3u/rZuCvSyD8sxFd4T7PKxlwyM/qj9IGGhA7E6HX9c2K/6 N+C3p8oKWOeycB4YSCfN =+CzM -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
