> 1) Blacklisting has undergone considerable change in Shorewall 4.4.13. > > a) Blacklisting is now based on zones rather than on interfaces and > host groups. > > b) Near compatibility with earlier releases is maintained. > > c) The keywords 'src' and 'dst' are now preferred in the OPTIONS > column in /etc/shoreawll/blacklist, replacing 'from' and 'to' > respectively. The old keywords are still supported. > The template 'blacklist' file does not have OPTIONS column.
> d) The 'blacklist' keyword may now appear in the OPTIONS, > IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones. > > i) In the IN_OPTIONS column, it indicates that packets received > on the interface are checked against the 'src' entries in > /etc/shorewall/blacklist. > > ii) In the OUT_OPTIONS column, it indicates that packets being > sent to the interface are checked against the 'dst' entries. > > iii) Placing 'blacklist' in the OPTIONS column is equivalent to > placing in in both the IN_OPTIONS and OUT_OPTIONS columns. > 1. Am I allowed to specify 'blacklist' in the fw (firewall) zone? I did that, and when specified it on its own (with no other zones set with the blacklist option) I get the 2 'blank' (i.e. with no references) chains - blacklst and blackout and no warnings. This, though has a knock-on effect on the other interfaces (see 6 below). 2. During compile I am getting this warning: Use of uninitialized value in addition (+) at /usr/share/shorewall/Shorewall/Chains.pm line 712. Use of uninitialized value in addition (+) at /usr/share/shorewall/Shorewall/Chains.pm line 712. 3. I don't know whether it is meant to be this way but Forward chain on lo is named lo_fwd, while ethX is ethX_frwd. 4. I don't know whether this would be treated as syntax error, but specifying 'blacklist' in OPTIONS as well as in any of the other columns (IN_OPTIONS and/or OUT_OPTIONS) should at least produce a warning (no harm in doing that). 5. I have both src,dst specified in the blacklist file, but when I specify 'net - - blacklist' (i.e. OUT only) I am getting both blacklst and blackout chains with matching ipsets (it should be only the OUT part) and do not have a warning. 6. When I specify 'net - blacklist' (i.e. IN only) I am getting the right result - blacklist chain with 2 references (net2fw and ethx_frwd), blacklist is missing and I get a warning as well, however if I have put the 'blacklist' option in the fw zone (in the OPTIONS column) I get a 'blank' blackout and NO warnings. I suspect I would get similar results when I am using other similar permutations on fw and the net zones. The new layout of the chains is good and I see blacklst and blackout are the first in it, which is great. That is what I found within an hour or so. Tomorrow will continue. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
