On 11/1/19 8:40 AM, Tom Eastep wrote: >> # >> # Shorewall -- /etc/shorewall/rules >> # >> >> ?SECTION ALL >> DROP:info net:+BlackList $FW >> ?SECTION ESTABLISHED >> ?SECTION RELATED >> ?SECTION INVALID >> ?SECTION UNTRACKED >> ?SECTION NEW >> >> --- cut rules none of them related to ipsets. >> >> # turn on ipset from fail2ban >> # >> DROP:info net:+BlackList $FW >> # old >>DROP:info net:+f2b all >> # >> # Filter out noise >> # >> Drop net $FW all > Again, get ride of that and simply use the recommended DROP policy > actions (again, follow the advice in the Warning> >> # >> # turn on ipset to stop testing ports from outside >> # >> ADD(SW_DBL4:src):info net $FW >> # >> >> > Simply setting the net->all policy to BLACKLIST will do that for you! > > I don't understand why you have two blacklist ipsets, but the Blacklist > ipset is li9kely vanishing because you are setting SAVE_IPSETS in > shorewall.conf. If you are using shorewall-init to save/restore your > ipsets, then SAVE_IPSETS should be left empty in shorewall.conf.
One more clarification: My advice about using the default DROP policy above won't do what you want unless you do use the BLACKLIST policy for net->all and rather use the recommended BLACKLIST policy actions. From my own configuration: shorewall.conf: BLACKLIST_LOG_LEVEL="none" BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL" BLACKLIST="NEW,INVALID,UNTRACKED" DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200" BLACKLIST_DISPOSITION=DROP /etc/shorewall/rules: Web(DROP) { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" } Ping(ACCEPT) { SOURCE=net, DEST=$FW,DMZ } Tracert(ACCEPT) { SOURCE=net, DEST=$FW,DMZ } -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users