On 7/22/19 2:43 PM, ObNox wrote: > On 22/07/2019 17:18, Tom Eastep wrote: > >> DNAT always occurs before the blacklisting. Blacklisting takes place in >> the nat table while blacklisting occurs in the filter table. Since the >> nat table is traversed prior to the filter table (see >> http://www.shorewall.org/NetfilterOverview.html), NAT necessarily occurs >> first. > > I always wondered why blacklisting isn't done in the "mangle" table. > > As the "mangle" table is the very first table to see the incoming > packets, it seems to be the best place to kill any unwanted traffic right? > > https://erlerobotics.gitbooks.io/erle-robotics-introduction-to-linux-networking/content/security/img9/iptables.gif > > > Back in the day when I was handcrafting my very own firewall script, I > always used the "mangle" table to blacklist any foe and I never faced > any special issue. > > Is there something I don't see that Shorewall does and makes it require > the use of the "filter" table for the blacklist functionality? >
I made the choice to implement blacklisting based on the zone-oriented rules file. Unfortunately, zone-oriented infrastructure in Shorewall only exists for the nat and filter tables. To maintain backward compatibilty, moving blacklisting enforcement to the mangle table would require that zone-oriented infrastructure to be added for the mangle table. I never added it, and since I no longer develop Shorewall, I won't be adding it. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
