On 4/29/2021 11:11 AM, Olivier BELLON wrote:
> Hi everybody,
>
> I have 2 linux servers with 2 installed shorewall.
> One shorewall is 4.6.4.3 version (Jessie Debian) and the other installation
> is in 5.2.3.4 version (Ubuntu 20.04 LTS).
> Shorewall is ok and running on each server :)
>
> I enabled 'BLACKLIST' feature in "blrules" file with an IPSET containing
> subnets that I want to blacklist...I exactly have the exactly same
> configuration in "blrules" file on each shorewall installation.
> BLACKLIST net:+ MYIPSET1 all
>
> BLACKLIST net:+ MYIPSET2 all
> BLACKLIST net:+ MYIPSET3 all
> BLACKLIST net:+ MYIPSET4 all
>
> => On 4.6.4.3, when I enter "shorewall show bl" I got an answer with many
> lines :
> shorewall show bl
> Shorewall 4.6.4.3 blacklist chains at zeus.sonixtra.net - jeudi 29 avril
> 2021, 10:42:07 (UTC+0200)
> Chain dynamic (1 references)
> pkts bytes target prot opt in out source
> destination
> Chain net-fw~ (1 references)
> pkts bytes target prot opt in out source
> destination
> 620 32800 blacklog all -- * * 0.0.0.0/0
> 0.0.0.0/0 match-set MYIPSET1 src /* BLACKLIST */
> 155 7526 blacklog all -- * * 0.0.0.0/0
> 0.0.0.0/0 match-set MYIPSET2 src /* BLACKLIST */
> 0 0 blacklog all -- * * 0.0.0.0/0
> 0.0.0.0/0 match-set MYIPSET3 src /* BLACKLIST */
> 0 0 blacklog all -- * * 0.0.0.0/0
> 0.0.0.0/0 match-set MYIPSET4 src /* BLACKLIST */
>
> => On 5.2.3.4, when I enter "shorewall show bl" I got an empty answer :
> shorewall show bl
> Shorewall 5.2.3.4 blacklist chains at Stamina-Filer - jeu. 29 avril 2021
> 11:03:36 CEST
> Chain dynamic (4 references)
> pkts bytes target prot opt in out source
> destination
>
> => So, if I check in IPTABLES, I got these lines for 4.6.4.3 version :
> iptables -L -v | grep blacklog
> Chain blacklog (4 references)
> 892 47437 blacklog all -- any any anywhere
> anywhere match-set MYIPSET1 src /* BLACKLIST */
> 207 10010 blacklog all -- any any anywhere
> anywhere match-set MYIPSET2 src /* BLACKLIST */
> 0 0 blacklog all -- any any anywhere
> anywhere match-set MYIPSET3 src /* BLACKLIST */
> 0 0 blacklog all -- any any anywhere
> anywhere match-set MYIPSET4 src /* BLACKLIST */
>
> => And for 5.2.3.4 version :
> iptables -L -v | grep blacklog
> Chain blacklog (4 references)
> 0 0 blacklog all -- any any anywhere
> anywhere [goto] match-set MYIPSET1 src
> 0 0 blacklog all -- any any anywhere
> anywhere [goto] match-set MYIPSET2 src
> 0 0 blacklog all -- any any anywhere
> anywhere [goto] match-set MYIPSET3 src
> 0 0 blacklog all -- any any anywhere
> anywhere [goto] match-set MYIPSET4 src
>
> ===> So, everything is not as really empty as shown in "shorewall show bl"
> ...
> So, My question is : Why "Shorewall show bl" doesn't give the same result
> depends of shorewall version ?
>
>
Diffing the func 'show_bl' between the two versions:
$ diff -dus 4* 5*
--- 4.6.3.4.txt 2021-04-30 16:01:50.103047209 +0200
+++ 5.2.3.5.txt 2021-04-30 16:03:05.792414702 +0200
@@ -1,4 +1,5 @@
show_bl() {
+ [ -n "$g_blacklistipset" ] && ipset -L $g_blacklistipset |
blacklist_filter && echo
$g_tool -L $g_ipt_options | \
awk 'BEGIN {prnt=0; };
/^$/ {if (prnt == 1) print ""; prnt=0; };
Is blacklisting properly enabled (1) (2)?
If you migrated from 4.* to 5.*, did you do a 'shorewall update'?
In anycase, if this turns out to be a bug, I can ot garenty if/when this
will be fixed.
1) https://shorewall.org/manpages/shorewall-blrules.html
2) https://shorewall.org/manpages/shorewall.conf.html
--
Matt Darfeuille <[email protected]>
Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/
SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/
Homepage: https://shorewall.org
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
