On 01/24/2018 03:21 AM, Vieri Di Paola via Shorewall-users wrote: > Hi, > > I want to dynamically blacklist the IP addresses of hosts that try to > connect to unadvertized ports. I do this by setting the following in > shorewall.conf: > > DYNAMIC_BLACKLIST=ipset,timeout=172800:POL_BL:info:polbl > > I also set the BLACKLIST policy: > > net4 $FW BLACKLIST > net4 loc BLACKLIST > net4 dmz BLACKLIST > net4 net3 BLACKLIST > net4 net2 BLACKLIST > net4 net1 BLACKLIST > net4 all BLACKLIST > net3 $FW BLACKLIST > net3 loc BLACKLIST > net3 dmz BLACKLIST > net3 net4 BLACKLIST > net3 net2 BLACKLIST > net3 net1 BLACKLIST > net3 all BLACKLIST > net2 $FW BLACKLIST > net2 loc BLACKLIST > net2 dmz BLACKLIST > net2 net4 BLACKLIST > net2 net3 BLACKLIST > net2 net1 BLACKLIST > net2 all BLACKLIST > net1 $FW BLACKLIST > net1 loc BLACKLIST > net1 dmz BLACKLIST > net1 net4 BLACKLIST > net1 net3 BLACKLIST > net1 net2 BLACKLIST > net1 all BLACKLIST > > However, after blacklisting the hosts' IP addresses I'd also like to > redirect and allow ONLY traffic to port 62000 on the $FW IF the original > destination port was 80. > In other words, if a listed client were to connect to http://myserver > then it would be redirected to TCP 62000. No other traffic allowed for > that source IP addr. > > I have this in rules almost at the top: > REDIRECT:info:blsinit net1,net2,net3,net4:+IPS_BL,+POL_BL!+GLOBAL_WL > 62000 tcp 80 > > However, I get this in the log: > > Shorewall:blsinit:REDIRECT:IN=enp9s4 OUT= MAC=<MAC> SRC=<IP> > DST=192.168.92.2 LEN=52 TOS=0x00 PREC=0x00 TTL=122 ID=20594 DF PROTO=TCP > SPT=30142 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1 > Shorewall:polbl:DROP:IN=enp9s4 OUT= MAC=<MAC> SRC=<IP> DST=192.168.92.2 > LEN=52 TOS=0x00 PREC=0x00 TTL=122 ID=20594 DF PROTO=TCP SPT=30142 > DPT=62000 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x1 > > Here, "polbl" refers to the setting in DYNAMIC_BLACKLIST. > > I guess it's expected, so I don't know if posting a shorewall dump to > this list would help. I'd like to know how to change my shorewall > configuration in order to only accept connections to 62000 for > blacklisted hosts. > Adding an explicit ACCEPT rule before or after REDIRECT does not seem to > "work". > > Am I required to use a custom DROP action instead of DYNAMIC_BLACKLIST?
Yes. The Shorewall dynamic blacklisting implementation currently does not allow for such exceptions. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
