Tom On Fri, Apr 8, 2016, at 08:51 AM, Tom Eastep wrote: > Shorewall's dynamic blacklisting doesn't use ipsets -- it simply appends > iptables rules to the 'dynamic' chain. So, using an ipset is a more > efficient mechanism if you plan on banning a large number of addresses.
Ok, took me a couple more re-reads to get that :-/ Chalk it up to wishful thinking! So, in the "it'd be nice" category ... this is what I do. It'd be nice to be able to replace it with only SW. I understand there may be good reason NOT to. I currently use shorewall & fail2ban, with iptables & ipsets. So I get to deal with all the various commands. I try to simplify where I can by only using IPSETs. So on firewall startup, I have external scripts that create, and reload if required, IPSETs. Shorewall then usese them in rules. One of the IPSETs I create shorewall doesn't currently use. It's a "dynamic" list. I've cobbled up my own dynfw.pl <action> <ipaddr, ipnet:cidr> <expire_time> script. Depending on whether the target is an address or range, it gets acted on in one of two IPSETs -- for addresses or CIDR ranges. <action>s include 'drop', 'reject', 'del', 'purge' (the whole list) I can use these commands just as easily in fail2ban actions. It all works well. Looking at SW's "Dynamic Blacklist" capability, if IPSET support was added, it could effectively replace all this external stuff, and make it possible to use the SW commands almost exclusively. In conf, if there were something like DYNAMIC_BLACKLIST=(yes,no) DYNAMIC_BLACKLIST_TYPE=(iptable,ipset) DYNAMIC_BLACKLIST_PERSIST=(yes,no) DYNAMIC_BLACKLIST_NAME=(default,<some name>) and the logic to go with it, well "it'd be nice". Jason ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
