On Tuesday, July 31, 2018, 4:26:29 AM GMT+2, Tom Eastep <teas...@shorewall.net> wrote: > No - blacklist checking occurs before the connection request is passed > to any rules.
The redirect of port 80 to 60000 (a custom HTTP service) is to inform legit users of their mistake when trying to connect. So I removed calls to the BLACKLIST action or policy, and started using ADD and REDIRECT again within the rules file like this: [Placed almost at the top of the rules file, right after several static REJECTs or DROPs] REDIRECT:info:,blsredir net1,net2,net3:+IPS_BL,+POL_BL!+GLOBAL_WL 60000 tcp 80 DROP:info:,blsseen net1,net2,net3:+IPS_BL,+POL_BL!+GLOBAL_WL all [...list of ACCEPT / DNAT rules...] ADD(POL_BL:src):info:polbl,add2polbl net1,net2,net3:!+POL_BL,+GLOBAL_WL all tcp,udp - !443,80,25 [EOF] With this method I won't be updating the ipset timeout (!+POL_BL in ADD), I will be specifying the ipset name within the rules file, and I will allow early redirects for requests to port 80 to go to a custom HTTP service on port 60000. The only drawback is that I need to maintain a list of ports/protocols to exclude from the ADD action (in my case, allowed traffic for now would be on ports 443,80,25). A bit ugly and error-prone. Anyway, I also noticed that I had to remove my ipset definition from DYNAMIC_BLACKLIST (I set to DYNAMIC_BLACKLIST=Yes or No) even though I never referenced BLACKLIST anywhere else in Shorewall (neither in policy nor in rule).Otherwise, the remote host's IP address would be added to the ipset each time it was seen, thus partially invalidating the purpose of my three lines in the rules file and updating the ipset member timeout when not wanted. Why was this triggered? This was the only occurrence of BLACKLIST in my shorewall files: # grep BLACKLIST /etc/shorewall/* /etc/shorewall/shorewall.conf:BLACKLIST_LOG_LEVEL= /etc/shorewall/shorewall.conf:BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL" /etc/shorewall/shorewall.conf:BLACKLIST="NEW,INVALID,UNTRACKED" /etc/shorewall/shorewall.conf:DYNAMIC_BLACKLIST=ipset,timeout=172800:POL_BL:info:add2polbl /etc/shorewall/shorewall.conf:BLACKLIST_DISPOSITION=DROP Thanks, Vieri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
