[Shorewall-users] best practices for using/saving (blacklist) ipsets

Tue, 26 Nov 2013 06:02:12 -0800 

So, per a previous discussion on this list I have been using ipsets to
manage a fail2ban populated blacklist.  In the blacklist file I have:


<IP ADDRESS 1>
<IP ADDRESS 2>
...
<IP ADDRESS N>
+fail2ban
+fail2ban_perm


And then fail2ban has actions to insert and remove items from those
ipsets.  Good so far.

One problem is though that I am finding that those ipsets are not
automatically created.  I noticed a section in my init that is creating
ipsets:

#START IPSET CREATION -- DO NOT REMOVE
new_ipset() {
        local NAME="$1"
        ipset -L "$NAME" >/dev/null 2>&1 || {
                /bin/echo -e "$NAME...\c"
                ipset -N "$NAME" iphash
        }
}

/bin/echo -e "Creating any undefined ipsets...\c"
new_ipset "foo"
...
new_ipset "abc_gw"
IGS_GATEWAY=$(detect_gateway $ABCIF)
ipset -A abc_gw "$ABC_GATEWAY"
echo
#END IPSET CREATION -- DO NOT REMOVE

That code looks like something I would write but I don't know where it
came from since it appears to be getting inserted into init by the
generated firewall script and I can't find it anywhere else.

In any case, a couple of questions:

      * are ipsets in general supposed to be created by shorewall? 
      * are ipsets in the blacklist supposed to be created by
        shorewall? 
      * what's the best known practices for saving *selected* ipsets so
        that shorewall reloads on them on restart/reload? 
              * I have a number of ipsets which I don't think I want
                restored on a shorewall restart/reload 

I'm using Shorewall 4.5.15 on Fedora 19 FWIW.

Cheers,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to