Re: [Shorewall-users] blrules file

Wed, 13 Feb 2019 03:29:19 -0800 

Thanks Tom, that worked

Leo

On 12/2/19 5:38 pm, Tom Eastep wrote:

On 2/12/19 2:39 AM, subscription2 via Shorewall-users wrote:

I'm running Shorewall V 5.1.12.2 on the latest Ubuntu LTS version

sudo ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel
state UP group default qlen 1000
     link/ether 00:50:56:3d:9b:af brd ff:ff:ff:ff:ff:ff
     inet 173.212.231.229/24 brd 173.212.231.255 scope global ens18
        valid_lft forever preferred_lft forever
     inet6 fe80::250:56ff:fe3d:9baf/64 scope link
        valid_lft forever preferred_lft forever


ip route show
default via 173.212.231.1 dev ens18 proto static
173.212.231.0/24 dev ens18 proto kernel scope link src 173.212.231.229


I'm trying to follow this guide
https://linux.die.net/man/5/shorewall-blrules and have a few questions.

That site seems to have quite old versions of the manpages. I recommend
that you use the official Shorewall mirror closest to you (see
http://www.shorewall.org/shorewall_mirrors.htm).


1) Setting BLACKLISTNEWONLY causes the following error when reloading.

sudo shorewall refresh
Compiling using Shorewall 5.1.12.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
    ERROR: The BLACKLISTNEWONLY configuration option has been superceded
- please run 'shorewall update' /etc/shorewall/shorewall.conf (line 288)

Running 'shorewall update' removes this setting

2) The rule in my blrules files with a BLACKLIST="NEW,INVALID,UNTRACKED"
setting doesn't seem to apply (i.e. connections from this IP address are
still getting through

DROP    net:185.211.245.170    all



Try 'shorewall reload' rather than 'shorewall refresh' (note that
support for 'refresh' has been removed in Shorewall 5.2). If connections
from that IP are still not being dropped, then install the 'conntrack'
package and use this command:

conntrack -D -s 185.211.245.170

If connections are still getting through, then please forward the output
of 'shorewall dump' as an attachment (you may send it directly to me).

Thanks,
-Tom


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to