On 5/14/2017 5:16 PM, Matt Darfeuille wrote: > On 5/14/2017 12:54 PM, misc02 wrote: >> Thanks Matt - >> >> I'm not sure if I can do it the following way - I'm trying to keep >> the blrules file as obvious as possible by separating the whitelist >> from the excluded ranges within it. The idea is that this would make >> it easy to just put in a new IP or IP range to DROP without having >> to work out which CIDR block it is included in every time and >> keep the lines short if multiple randoms need DROPing in a range >> at later dates. >> >> IE will my EXCLUSION block go back and remove that range >> from the WHITELIST and my DROP block drop everything not whitelisted? >> > > I don't think you need exclusion. > >> this is a sample blrules to show what I'm trying to do - would this >> work?: >> >> ------------------------------------------------------------------ >> # >> # Shorewall version 4 - Blacklist Rules File >> # >> # For information about entries in this file, type "man >> shorewall-blrules" >> # >> # Please see http://shorewall.net/blacklisting_support.htm for >> additional >> # information. >> # >> ################################################################################################################################################################################################### >> #ACTION SOURCE DEST PROTO >> DEST SOURCE ORIGINAL RATE USER/ MARK >> CONNLIMIT TIME HEADERS SWITCH >> # PORT >> PORT(S) DEST LIMIT GROUP >> >> ### WHITELIST BLOCK STARTS HERE ### >> >> # system and specials >> WHITELIST net:[2001:DB8::/64] all >> >> # rest of whitelists >> WHITELIST net:2.16.9.0/24 all >> WHITELIST net:64.209.92.221/32 all >> >> ## END WHITELIST >> >> ### EXCLUSION BLOCK STARTS HERE ### >> >> # EXCLUSION LIST FROM ABOVE WHITELISTING >> # This is added AFTER the whitelist rules >> # To remove the ranges from the whitelist >> # When a whitelist block is added put the >> # exclusions to it here >> >> WHITELIST !2.16.9.1-2.16.9.128 all >> >> >> ### DROP BLOCK STARTS HERE ### >> >> # THIS SECTION IS THE MAIN DROP LIST >> # This drops everything not in the >> # whitelist block - to be clear ... >> # The exclusion block is dropped too >> >> DROP net:0.0.0.0-255.255.255.255 all >> >> --------------------------- END ----------------------------------- >> >> Will this work or can you see a way to do something similar? >> > > Everything that's not in the WHITELIST action will be DROPped. > > Assuming I got that right and based on your example (IPv4) only): > > WHITELIST net:192.168.1.0/24 all > DROP net all > > Any IPs from the net zone will be dropped but 192.168.1.0/24. > > > If you want a more flexible way to add or remove whitelisted IPs you > could do something like: > /etc/shorewall/params > > NET_ALLOWED_IP=extra-whitelisted-ips > > /etc/shorewall/blrules: > > WHITELIST net:192.168.1.0/24,$NET_ALLOWED_IP > DROP net all > > Only 192.168.1.0/24 and the value of '$NET_ALLOWED_IP' will be whitelisted. > > or with ipset (you don't need the params file for this) > > WHITELIST net:+ipset_name,192.168.1.0/24 > DROP net all > > Only 192.168.1.0/24 and the IPS specified in the 'ipset_name' will be > whitelisted > > or be even more creative with conditionel statement!!!:) >
To more directly answer your question: You could do: /etc/shorewall/blrules # Change those value in the params file WHITELIST $NET_ALLOWED_IP!$NET_EXCLUDE_IP DROP net all /etc/shorewall/params # Blacklisting/Whitelisting # # Allowed IPs from net # NET_ALLOWED_IP=2.16.9.0/24 # # Exclude those IPs from being whitelisted # NET_EXCLUDE_IP=2.16.9.1-2.16.9.128 The idea is to have the exclusion on the same line! >>> On Sat, 2017-05-13 at 17:37 +0200, Matt Darfeuille wrote: >>> From: >>> http://shorewall.org/manpages/shorewall-blrules.html >>> >>> "Example 2: >>> Don't subject packets from 2001:DB8::/64 to the remaining rules in the file. >>> WHITELIST net:[2001:DB8::/64] all" >>> >>> So the following should do what you want: >>> >>> WHITELIST ... >>> DROP ... >>> >>> >>> See also: >>> http://shorewall.org/configuration_file_basics.htm#Exclusion >>> http://shorewall.org/manpages/shorewall-exclusion.html >> > -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
