blacklist

Michael Kress Fri, 06 Mar 2009 16:50:31 -0800

Hello list, Hello Tom, I'm trying to set up shorewall for the following
situation:
A server linked to the outside world via a static ip (currently
192.168.* but later it will have a "real" one, but fixed/static).
Some virtual machines, all done with kvm, they'll all have their
fixed/static ip adresses.
The connections look great, I can easily fine tune who may connect how
(rules file).
What I can't get running: blacklist-ing, all the connections get
through, nothing gets blacklisted. (ping from 192.168.2.100 (physically
outside machine) to the kvm guest gets through, but should be blocked by
blacklist).


So my question is, what am I doing wrong? I read that blacklist only
makes sense with interfaces, but as soon as I'll apply that to br0:eth0,
I'll get the messages ("Bridge Ports may not have options").
Plus I've got a  more general question: Is my configuration correct for
the above setup?
I hope, I didn't get the whole thing totally wrong.

TIA!
Greetings
Michael

PS: My configuration:
==========================================
dpkg -l|grep shorewall
ii  shorewall                           4.0.15-1              Shoreline
Firewall, netfilter configurator -
ii  shorewall-common                    4.0.15-1              Shoreline
Firewall, netfilter configurator -
ii  shorewall-doc                       4.0.15-1             
documentation for Shoreline Firewall (Shorew
ii  shorewall-perl                      4.0.15-1              Shoreline
Firewall, Netfilter configurator (
ii  shorewall-shell                     4.0.15-1              Shoreline
Firewall, Netfilter configurator (
==========================================
/etc/shorewall/zones:
fw      firewall
world   ipv4
loc:world bport
net:world bport
==========================================
/etc/shorewall/interfaces:
world   br0             detect          blacklist,bridge,routeback
net     br0:eth0        detect
loc     br0:vnet0       detect
==========================================
$ grep BLACK /etc/shorewall/shorewall.conf
BLACKLIST_LOGLEVEL=info
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
BLACKLIST_DISPOSITION=DROP
==========================================
/etc/shorewall/policy:
loc         net         ACCEPT
$FW         world       ACCEPT
net         all         DROP          info
net         loc         DROP          info
all         all         REJECT        info
==========================================
/etc/shorewall/blacklist:
192.168.2.100/32          -               -               ### test
==========================================
$ ifconfig
br0       Link encap:Ethernet  HWaddr 00:30:48:d4:02:70
          inet addr:192.168.2.107  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::230:48ff:fed4:260/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:75866968 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41857 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:102290937721 (95.2 GiB)  TX bytes:11120904 (10.6 MiB)

eth0      Link encap:Ethernet  HWaddr 00:30:48:d4:02:70
          inet6 addr: fe80::230:48ff:fed4:260/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:75867470 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42945 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:103353564746 (96.2 GiB)  TX bytes:11242012 (10.7 MiB)
          Memory:da020000-da040000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4470 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4470 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4563943 (4.3 MiB)  TX bytes:4563943 (4.3 MiB)

virbr0    Link encap:Ethernet  HWaddr 3a:ac:28:5b:62:66
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::38ac:28ff:fe5b:6264/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:468 (468.0 B)

vnet0     Link encap:Ethernet  HWaddr 00:ff:e2:8a:51:81
          inet6 addr: fe80::2ff:e2ff:fe8a:5180/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1595 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14152930 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:203054 (198.2 KiB)  TX bytes:19251256789 (17.9 GiB)
==========================================
$ brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.003048d40260       no              eth0
                                                        vnet0
virbr0          8000.000000000000       yes


------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] kvm / bridge / blacklist

Reply via email to