Re: [Shorewall-users] Advice on shorewall-init and ipsets (fail2ban)

Fri, 01 Nov 2019 09:08:21 -0700 

On 11/1/19 8:40 AM, Tom Eastep wrote:
>> #
>> # Shorewall -- /etc/shorewall/rules
>> #
>>
>> ?SECTION ALL
>>  DROP:info net:+BlackList  $FW
>> ?SECTION ESTABLISHED
>> ?SECTION RELATED
>> ?SECTION INVALID
>> ?SECTION UNTRACKED
>> ?SECTION NEW
>>
>> --- cut rules none of them related to ipsets.
>>
>> # turn on ipset from fail2ban
>> #
>> DROP:info net:+BlackList  $FW
>> #  old >>DROP:info net:+f2b all
>> #
>> # Filter out noise
>> #
>> Drop net $FW all
> Again, get ride of that and simply use the recommended DROP policy
> actions (again, follow the advice in the Warning>
>> #
>> # turn on ipset to stop testing ports from outside
>> #
>> ADD(SW_DBL4:src):info net $FW
>> #
>>
>>
> Simply setting the net->all policy to BLACKLIST will do that for you!
> 
> I don't understand why you have two blacklist ipsets, but the Blacklist
> ipset is li9kely vanishing because you are setting SAVE_IPSETS in
> shorewall.conf. If you are using shorewall-init to save/restore your
> ipsets, then SAVE_IPSETS should be left empty in shorewall.conf.

One more clarification: My advice about using the default DROP policy
above won't do what you want unless you do use the BLACKLIST policy for
net->all and rather use the recommended BLACKLIST policy actions.

From my own configuration:

shorewall.conf:

BLACKLIST_LOG_LEVEL="none"
BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL"
BLACKLIST="NEW,INVALID,UNTRACKED"
DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
BLACKLIST_DISPOSITION=DROP

/etc/shorewall/rules:

Web(DROP)          { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not
blacklist web crawlers" }
Ping(ACCEPT)       { SOURCE=net, DEST=$FW,DMZ }
Tracert(ACCEPT)    { SOURCE=net, DEST=$FW,DMZ }

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to