Re:
So, after an other checking :
- Blacklisting is correctly enabled on each server
- Shorewall update has been done and I checked if it's ok :) and to be
sure I ran it again
As mentioned : 2 linux servers, 2 shorewall versions but the exactly
same use of blacklisting with the exactly same use of IPSET.
The only way I found to exactly get the same results is : iptables -L -v
| grep blacklog
I don't know if it's a bug and, for sure, it's not a critical behavior
:) and there is an laternative way to get the informations.
And, as discussed, the problem don't seem to be on my side :) hahaah
so, it's not a config mistake regarding my shorewall installations...
Thanks for everything
All the best
Le 03-05-2021 08:23, Matt Darfeuille a écrit :
On 4/29/2021 11:11 AM, Olivier BELLON wrote:
Hi everybody,
I have 2 linux servers with 2 installed shorewall.
One shorewall is 4.6.4.3 version (Jessie Debian) and the other installation
is in 5.2.3.4 version (Ubuntu 20.04 LTS).
Shorewall is ok and running on each server :)
I enabled 'BLACKLIST' feature in "blrules" file with an IPSET containing
subnets that I want to blacklist...I exactly have the exactly same
configuration in "blrules" file on each shorewall installation.
BLACKLIST net:+ MYIPSET1 all
BLACKLIST net:+ MYIPSET2 all
BLACKLIST net:+ MYIPSET3 all
BLACKLIST net:+ MYIPSET4 all
=> On 4.6.4.3, when I enter "shorewall show bl" I got an answer with many
lines :
shorewall show bl
Shorewall 4.6.4.3 blacklist chains at zeus.sonixtra.net - jeudi 29 avril
2021, 10:42:07 (UTC+0200)
Chain dynamic (1 references)
pkts bytes target prot opt in out source
destination
Chain net-fw~ (1 references)
pkts bytes target prot opt in out source
destination
620 32800 blacklog all -- * * 0.0.0.0/0
0.0.0.0/0 match-set MYIPSET1 src /* BLACKLIST */
155 7526 blacklog all -- * * 0.0.0.0/0
0.0.0.0/0 match-set MYIPSET2 src /* BLACKLIST */
0 0 blacklog all -- * * 0.0.0.0/0
0.0.0.0/0 match-set MYIPSET3 src /* BLACKLIST */
0 0 blacklog all -- * * 0.0.0.0/0
0.0.0.0/0 match-set MYIPSET4 src /* BLACKLIST */
=> On 5.2.3.4, when I enter "shorewall show bl" I got an empty answer :
shorewall show bl
Shorewall 5.2.3.4 blacklist chains at Stamina-Filer - jeu. 29 avril 2021
11:03:36 CEST
Chain dynamic (4 references)
pkts bytes target prot opt in out source
destination
=> So, if I check in IPTABLES, I got these lines for 4.6.4.3 version :
iptables -L -v | grep blacklog
Chain blacklog (4 references)
892 47437 blacklog all -- any any anywhere
anywhere match-set MYIPSET1 src /* BLACKLIST */
207 10010 blacklog all -- any any anywhere
anywhere match-set MYIPSET2 src /* BLACKLIST */
0 0 blacklog all -- any any anywhere
anywhere match-set MYIPSET3 src /* BLACKLIST */
0 0 blacklog all -- any any anywhere
anywhere match-set MYIPSET4 src /* BLACKLIST */
=> And for 5.2.3.4 version :
iptables -L -v | grep blacklog
Chain blacklog (4 references)
0 0 blacklog all -- any any anywhere
anywhere [goto] match-set MYIPSET1 src
0 0 blacklog all -- any any anywhere
anywhere [goto] match-set MYIPSET2 src
0 0 blacklog all -- any any anywhere
anywhere [goto] match-set MYIPSET3 src
0 0 blacklog all -- any any anywhere
anywhere [goto] match-set MYIPSET4 src
===> So, everything is not as really empty as shown in "shorewall show bl"
...
So, My question is : Why "Shorewall show bl" doesn't give the same result
depends of shorewall version ?
Diffing the func 'show_bl' between the two versions:
$ diff -dus 4* 5*
--- 4.6.3.4.txt 2021-04-30 16:01:50.103047209 +0200
+++ 5.2.3.5.txt 2021-04-30 16:03:05.792414702 +0200
@@ -1,4 +1,5 @@
show_bl() {
+ [ -n "$g_blacklistipset" ] && ipset -L $g_blacklistipset |
blacklist_filter && echo
$g_tool -L $g_ipt_options | \
awk 'BEGIN {prnt=0; };
/^$/ {if (prnt == 1) print ""; prnt=0; };
Is blacklisting properly enabled (1) (2)?
If you migrated from 4.* to 5.*, did you do a 'shorewall update'?
In anycase, if this turns out to be a bug, I can ot garenty if/when this
will be fixed.
1) https://shorewall.org/manpages/shorewall-blrules.html
2) https://shorewall.org/manpages/shorewall.conf.html
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users