On 06/13/2013 07:32 AM, Brian Burch wrote: > I have recently started blacklisting by accumulating lines in the > blrules file, e.g. > > DROP net:200.62.170.200 all > > The number of lines is growing fairly quickly, so it occurred to me that > I could improve maintenance by defining a macro to hide the fixed > elements of these lines. > > > I read http://shorewall.net/Macros.html carefully, but found it somewhat > confusing because of the changes to macro support in recent releases. > > I thought I could code my entries very simply like this: > > KillHost 200.62.170.200
Which entries? In your rules file or in the Macros? > > > I am running shorewall 4.5.5.3, so I tried to use the format1 style in > my macro.KillHost as follows: > > #ACTION SOURCE DEST > DROP net:PARAM all > > ... but that was rejected "unknown destination zone (all)". Although > this message does not really describe my syntax error, I take it to mean > that I can only associate PARAM with the first field (ACTION). Is that > correct? No -- it means that 'all' can't be used within the body of a macro. Actually, it is very unusual to even use zone names within a macro as most people inherit the zones from the macro invocation (in the rules file). > > > I read the section titled "Shorewall 4.4.16 and Later". I found the > description of multiple parameters and default values confusing. I tried > several permutations, although I am unsure what features would be > acceptable (because I don't have 4.5.10), e.g. > > #ACTION SOURCE DEST > DEFAULT 1 DROP > $1 net:$2 all You are now mixing Macros and Actions. Actions support multiple parameters; macro's do not. The section you refer to is explaining that a macro name can appear in the policy file as a default action for a given policy. > > > Could you help me with the correct syntax? If you are confident that > something like this should work, I will try upgrading to a newer version. > Your entry in /etc/shorewall/rules would look something like: KillHost net all and entries in macro.KillHost then give the details of the blacklisting that you want, including source and destination IP addresses, protocols and ports. e.g.: DROP 1.2.3.4 #Drop all requests from net:1.2.3.4 DROP - - tcp 25 #Drop SMTP ... HTH, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
