Re: [Shorewall-users] Please help on shorewall-rules syntax

Thu, 21 Jun 2018 21:49:43 -0700 

On 22/06/18 06:53, Simon Hobson wrote:

Răzvan Sandu <razvan.sa...@mobexpert.ro> wrote:

I now have:

IMAPS/ACCEPT:info     net   $FW


and I want to exclude *two* adddress ranges from the net zone, like in:


IMAPS/ACCEPT:info     net:!aa.bb.cc.0/24   $FW
...


As an alternative which would be easier to read/maintain when you get a few 
more addresses in the list is to put drop rules before the allow rules. 
Typically if I spot incoming abuse, I just drop all connections - but that's 
one of those policy decisions that's specific to the organisation/admin. I tend 
to structure my rules file along the lines of :

# Drop nasties
DROP  net:aa.bb.cc.0/24  $FW
DROP  ...

# Mail
SMTP/ACCEPT  net  $FW
...
IMAPS/ACCEPT  net  $FW

# Other permitted traffic types ...


Of course, dealing with attacks as they happen is something that "shorewall drop 
..." is useful for.
Over the years, Tom has helped me work on this sort of issue. I haven't changed my approach much lately because it works quite well for me. I prefix my rule with something close to Simon's suggestion: 

NotSyn(REJECT)   all            all            tcp
dropInvalid      all            all

and then start by blacklist blrules files with this:-

# freedom for our own internet subnet
#
WHITELIST               loc      all
#
# moving to ipsets as most efficient/scaleable blacklist mechanism
#
BLACKLIST        net:+blackHosts      all
BLACKLIST        net:+blackNets       all
I mange my border gateway router's ipsets by manually checking the log files periodically, but there have been several posts about automating the process. 

HTH

Brian



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to