-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 7/22/19 9:33 AM, JLEM Shorewall wrote: > Hi , Shorewall friends, > > I have been liking Shorewall for many years. > > On my dedicated cloud server, I desired to drop all of attempts of > random probes, from I suppose piracy activities from all around > the world (Viet Nam,China,Russian, US, Europe... ). > > I know that it looks like fail2ban . but as a beginner in defense > work, I prefer to keep the control, and measure the impact of each > action. And I will discover the limit of the blacklist rules > number, with this principle, too ! > > The strategy is: regularly extracting from syslog all the IP > addresses given by the default drop rule, sort them, and append > them to the blrules, then reload shorewall. After 4 monthes, my > collection is big of more than 150000 IP adresses collected to the > "blrules" file. > > It worked fine on "Debian stretch". Restarting shorewall takes > ~6mn, And I did not notice any sensible slow-down of the traffic. > > Then now, "Debian buster" is stable, and i want of course port > this work after dist-upgrade of my server. But it seems that > shorewall on "buster" shorewall is blocked with such a blrules > file . > > versions of shorewall : on buster : shorewall: 5.2.3.2-1 on stretch > : shorewall:5.0.15.6-1 > > I tried to iptables-save the iptables rules on stretch , and > restore them directly to buster. but iptables-restore refuses: > iptables-restore: line 460962 failed ! yes: as I have 3 zones , the > 150000 blrules are x3 , once for each zone. So really Shorewall > gives 450000 blrules to iptables! > > Thank you for any idea. > There are better approaches to achieve your goal. a) Create an ipset which contains the ip addresses that you wish to blacklist. b) Use the BLACKLIST disposition. That will automatically add source IP addresses to the Shorewall-maintained blacklist ipset. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl02fvQACgkQluaz8kI6 TRDrlxAAhS7DATsp4pOcddunFHZIfh6KObYybN+JqVyUo927htOZ/PNIt63xtEjP 5CgwqlJSD2l/g2I0Uj99sdLfZ7v6G4T0apW8kAAIgXbXa0uWk8bBgq7Wnleye/cL Ywc0414xUL+/ubiW2laED0kbV3V+UsoQhCDTX9B7vx2OrWUbTQTt0eM1EFssX6kc 1fh64XzRh7ghjPzISMgMTAeu0eUcRGf4aDBhwMPg6/cnk2YSwzDSZgGb5ABt/STX m1Ro9SFUaRwq9CIKZ9nzjtS1vmBQuX1njjXaY5C2LuU2iSm7pcKCB4474MJFnAFT Zkqb2lwifNNRlOTzCLvJpl7HLErV3VfAw8OZAz/iIEPc2cts4Wggb3C4Hut1Y6bZ wYOhpGD3jT3IBDahYZJ4lXcVKJKfpz5lts0kFJBbXW8WX1JsykRCivqR3beZManl tpgaAp/GAyA4P0+lYbilWlczkebvaOdj/bqIPMgU1QxfD2QzvVK1a+yg29S7731n HBIQYVpsHWs26/qa79oDNi696PiIqpp/lw1BUgyZKo71ZmmvmX5fxCR5aoZT2vEu IoYF01+/ZXIVVcnEZbeRZY4ciYDswIREUYNwIfQYJ1qpRUTMX6ivHhcaksArhHnB 7jgUdKzAEuLjoWei5a4QS2K1NfbiocgF2geh+fZ126cx086l3Y4= =WEAl -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
