On 5/14/2017 12:54 PM, misc02 wrote: > Thanks Matt - > > I'm not sure if I can do it the following way - I'm trying to keep > the blrules file as obvious as possible by separating the whitelist > from the excluded ranges within it. The idea is that this would make > it easy to just put in a new IP or IP range to DROP without having > to work out which CIDR block it is included in every time and > keep the lines short if multiple randoms need DROPing in a range > at later dates. > > IE will my EXCLUSION block go back and remove that range > from the WHITELIST and my DROP block drop everything not whitelisted? >
I don't think you need exclusion. > this is a sample blrules to show what I'm trying to do - would this > work?: > > ------------------------------------------------------------------ > # > # Shorewall version 4 - Blacklist Rules File > # > # For information about entries in this file, type "man > shorewall-blrules" > # > # Please see http://shorewall.net/blacklisting_support.htm for > additional > # information. > # > ################################################################################################################################################################################################### > #ACTION SOURCE DEST PROTO > DEST SOURCE ORIGINAL RATE USER/ MARK > CONNLIMIT TIME HEADERS SWITCH > # PORT > PORT(S) DEST LIMIT GROUP > > ### WHITELIST BLOCK STARTS HERE ### > > # system and specials > WHITELIST net:[2001:DB8::/64] all > > # rest of whitelists > WHITELIST net:2.16.9.0/24 all > WHITELIST net:64.209.92.221/32 all > > ## END WHITELIST > > ### EXCLUSION BLOCK STARTS HERE ### > > # EXCLUSION LIST FROM ABOVE WHITELISTING > # This is added AFTER the whitelist rules > # To remove the ranges from the whitelist > # When a whitelist block is added put the > # exclusions to it here > > WHITELIST !2.16.9.1-2.16.9.128 all > > > ### DROP BLOCK STARTS HERE ### > > # THIS SECTION IS THE MAIN DROP LIST > # This drops everything not in the > # whitelist block - to be clear ... > # The exclusion block is dropped too > > DROP net:0.0.0.0-255.255.255.255 all > > --------------------------- END ----------------------------------- > > Will this work or can you see a way to do something similar? > Everything that's not in the WHITELIST action will be DROPped. Assuming I got that right and based on your example (IPv4) only): WHITELIST net:192.168.1.0/24 all DROP net all Any IPs from the net zone will be dropped but 192.168.1.0/24. If you want a more flexible way to add or remove whitelisted IPs you could do something like: /etc/shorewall/params NET_ALLOWED_IP=extra-whitelisted-ips /etc/shorewall/blrules: WHITELIST net:192.168.1.0/24,$NET_ALLOWED_IP DROP net all Only 192.168.1.0/24 and the value of '$NET_ALLOWED_IP' will be whitelisted. or with ipset (you don't need the params file for this) WHITELIST net:+ipset_name,192.168.1.0/24 DROP net all Only 192.168.1.0/24 and the IPS specified in the 'ipset_name' will be whitelisted or be even more creative with conditionel statement!!!:) >> On Sat, 2017-05-13 at 17:37 +0200, Matt Darfeuille wrote: >> From: >> http://shorewall.org/manpages/shorewall-blrules.html >> >> "Example 2: >> Don't subject packets from 2001:DB8::/64 to the remaining rules in the file. >> WHITELIST net:[2001:DB8::/64] all" >> >> So the following should do what you want: >> >> WHITELIST ... >> DROP ... >> >> >> See also: >> http://shorewall.org/configuration_file_basics.htm#Exclusion >> http://shorewall.org/manpages/shorewall-exclusion.html > -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
