Shorewall Version 4.5.4 Yes that will do just fine. However it might be nice to have a separate option for dynamic blocking that defaults to BLACKLISTNEWONLY=No.
like BLACKLISTDYNAMICNEWONLY=No Thanks again.. I'll just use that for now. On Wed, Jul 17, 2013 at 5:45 PM, Tom Eastep <[email protected]> wrote: > On 07/17/2013 05:10 PM, johnny bowen wrote: >> Currently when I want to dynamically blacklist an ip I can run : >> # shorewall block $ip >> However the rules that are added are generated from >> -A loc2net -m conntrack --ctstate NEW,INVALID -j dynamic >> -A net2loc -m conntrack --ctstate NEW,INVALID -j dynamic >> ... and so on. >> So if I want to block an IP that's already has an ESTABLISHED >> connection, i have to block it, then kill the connection. In my case I >> had to do something like: >> # shorewall drop $ip >> # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=0 >> # sleep 2s >> # sysctl -w net.netfilter.nf_conntrack_udplite_timeout_stream=180 >> (default value) >> >> note: I was dealing with a UDP connection (established SIP which times >> out in 180s) >> >> The problem I see is that when we want to add to the blacklist >> dynamically, there's probably an immediate issue that needs >> resolution. If it was premeditated we'd just add the ip to blacklist >> or blrules. >> >> Is it possible to change the ctstate for the target chain 'dynamic' to >> include ESTABLISH?? > > Depending on your shorewall version, check out BLACKLISTNEWONLY or > BLACKLIST in shorewall.conf (5). > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
