Thanks Matt - I'm not sure if I can do it the following way - I'm trying to keep the blrules file as obvious as possible by separating the whitelist from the excluded ranges within it. The idea is that this would make it easy to just put in a new IP or IP range to DROP without having to work out which CIDR block it is included in every time and keep the lines short if multiple randoms need DROPing in a range at later dates.
IE will my EXCLUSION block go back and remove that range from the WHITELIST and my DROP block drop everything not whitelisted? this is a sample blrules to show what I'm trying to do - would this work?: ------------------------------------------------------------------ # # Shorewall version 4 - Blacklist Rules File # # For information about entries in this file, type "man shorewall-blrules" # # Please see http://shorewall.net/blacklisting_support.htm for additional # information. # ################################################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP ### WHITELIST BLOCK STARTS HERE ### # system and specials WHITELIST net:[2001:DB8::/64] all # rest of whitelists WHITELIST net:2.16.9.0/24 all WHITELIST net:64.209.92.221/32 all ## END WHITELIST ### EXCLUSION BLOCK STARTS HERE ### # EXCLUSION LIST FROM ABOVE WHITELISTING # This is added AFTER the whitelist rules # To remove the ranges from the whitelist # When a whitelist block is added put the # exclusions to it here WHITELIST !2.16.9.1-2.16.9.128 all ### DROP BLOCK STARTS HERE ### # THIS SECTION IS THE MAIN DROP LIST # This drops everything not in the # whitelist block - to be clear ... # The exclusion block is dropped too DROP net:0.0.0.0-255.255.255.255 all --------------------------- END ----------------------------------- Will this work or can you see a way to do something similar? thanks jaz > On Sat, 2017-05-13 at 17:37 +0200, Matt Darfeuille wrote: > From: > http://shorewall.org/manpages/shorewall-blrules.html > > "Example 2: > Don't subject packets from 2001:DB8::/64 to the remaining rules in the file. > WHITELIST net:[2001:DB8::/64] all" > > So the following should do what you want: > > WHITELIST ... > DROP ... > > > See also: > http://shorewall.org/configuration_file_basics.htm#Exclusion > http://shorewall.org/manpages/shorewall-exclusion.html > -Matt ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
