On Wed, 2018-02-28 at 08:35 -0800, Tom Eastep wrote: > > The documentation for the 'blacklist' command has always stated that > it > requires 'DYNAMIC_BLACKLIST='ipsec,...' to be available, and > processing > of the 'blacklist' command in 5.0.14.1 and 5.1.10.2 is identical. > > With DYNAMIC_BLACKLIST=Yes, the 'drop', 'reject', etc. commands are > available.
This is really odd. While I certainly cannot argue with what the documentation says, my shorewall.conf file for this configuration has not changed since Nov 8, 2016 and I am absolutely positive I have been using shorewall "shorewall-lite blacklist $IP" and it's been working up until just very recently. In fact I have a copy of a /etc/shorewall- lite/state/ipsets.save from Feb 25, 2018 that has: create SW_DBL4 hash:net family inet hashsize 1024 maxelem 65536 timeout 0 counters and 336 "add SW_DBL4 $IP timeout 0 packets 0 bytes 0" entries in it. Very strange. But changing my shorewall.conf to "DYNAMIC_BLACKLIST=ipset" did indeed fix it. Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
