On Sat, Sep 27, 2014, at 11:02 AM, Tom Eastep wrote:
> > In the dynamic blacklist management/saving specifically, and SAVE_IPSET
> > mgmt in general, (how) do you differentiate between single addresses and
> > ranges?
>
> I think you are misunderstanding SAVE_IPSETS. That facility uses the
> ipset -S command to safe the contents of the ipsets in a text file and
> reloads them from a text file.
ah, "-S". Ok.
That, then, still leaves my subsequent musings about redundancy and saving only
specific IPSETs ...
> I'm going to have to give that some thought, because there are actually
> four commands:
>
> drop
> logdrop
> reject
> logreject
IIUC, those commands are ONLY used in the context of DYNAMIC_BLACKLISTING, is
that correct?
If so, if I were doing this from scratch, I'd bundle it all within a single
context:
shorewall[6][-lite] blacklist {drop,reject,remove} [log]
e.g.
shorewall-lite blacklist drop log X.X.X.X/NN
or
shorewall6-lite blacklist reject XXXX:XXXX::
etc
then perl-parsing the IP 4/6 target addresses for CIDR = /32 or (null), or CIDR
= /1 - /31, and writing to apprproriate hash:ip or hash:net IPSETs, which could
subsequent be stored persistently if DYNAMIC_BLACKLIST = ipset.
the additional 'remove' action could be used to (wildcard?) search & match the
existing entries in DYNAMIC_BLACKLIST's IPSET and remove them ...
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
