1SHOREWALL6-BLACKLIS(5)          [FIXME: manual]         SHOREWALL6-BLACKLIS(5)
2
3
4

NAME

6       blacklist - shorewall6 Blacklist file
7

SYNOPSIS

9       /etc/shorewall6/blacklist
10

DESCRIPTION

12       The blacklist file is used to perform static blacklisting. You can
13       blacklist by source address (IP or MAC), or by application.
14
15       The columns in the file are as follows.
16
17       ADDRESS/SUBNET - {-|~mac-address|ip-address|address-range|+ipset}
18           Host address, network address, MAC address, IP address range (if
19           your kernel and ip6tables contain iprange match support) or ipset
20           name prefaced by "+" (if your kernel supports ipset match).
21           Exclusion (shorewall6-exclusion[1](5)) is supported.
22
23           MAC addresses must be prefixed with "~" and use "-" as a separator.
24
25           Example: ~00-A0-C9-15-39-78
26
27           A dash ("-") in this column means that any source address will
28           match. This is useful if you want to blacklist a particular
29           application using entries in the PROTOCOL and PORTS columns.
30
31       PROTOCOL (Optional) - {-|protocol-number|protocol-name}
32           If specified, must be a protocol number or a protocol name from
33           protocols(5).
34
35       PORTS (Optional) - {-|port-name-or-number[,port-name-or-number]...}
36           May only be specified if the protocol is TCP (6), UDP (17), DCCP
37           (33), SCTP (132) or UDPLITE (136). A comma-separated list of
38           destination port numbers or service names from services(5).
39
40       OPTIONS (Optional - Added in 4.4.12) -
41       {-|{dst|src|whitelist|audit}[,...]}
42           If specified, indicates whether traffic from ADDRESS/SUBNET (src)
43           or traffic to ADDRESS/SUBNET (dst) should be blacklisted. The
44           default is src. If the ADDRESS/SUBNET column is empty, then this
45           column has no effect on the generated rule.
46
47               Note
48               In Shorewall 4.4.12, the keywords from and to were used in
49               place of src and dst respectively. Blacklisting was still
50               restricted to traffic arriving on an interface that has the
51               'blacklist' option set. So to block traffic from your local
52               network to an internet host, you had to specify blacklist on
53               your internal interface in shorewall6-interfaces[2] (5).
54
55               Note
56               Beginning with Shorewall 4.4.13, entries are applied based on
57               the blacklist setting in shorewall6-zones[3](5):
58
59                1. 'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
60                   from this zone is passed against the entries in this file
61                   that have the src option (specified or defaulted).
62
63                2. 'blacklist' in the OPTIONS or OUT_OPTIONS column. Traffic
64                   to this zone is passed against the entries in this file
65                   that have the dst option.
66           In Shorewall 4.4.20, the whitelist option was added. When whitelist
67           is specified, packets/connections that match the entry are not
68           matched against the remaining entries in the file.
69
70           The audit option was also added in 4.4.20 and causes packets
71           matching the entry to be audited. The audit option may not be
72           specified in whitelist entries and require AUDIT_TARGET support in
73           the kernel and ip6tables.
74
75       When a packet arrives on an interface that has the blacklist option
76       specified in shorewall6-interfaces[4](5), its source IP address and MAC
77       address is checked against this file and disposed of according to the
78       BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
79       shorewall6.conf[5](5). If PROTOCOL or PROTOCOL and PORTS are supplied,
80       only packets matching the protocol (and one of the ports if PORTS
81       supplied) are blocked.
82

EXAMPLE

84       Example 1:
85           To block DNS queries from address fe80::2a0:ccff:fedb:31c4:
86
87                       #ADDRESS/SUBNET            PROTOCOL        PORT
88                       fe80::2a0:ccff:fedb:31c4/  udp             53
89
90       Example 2:
91           To block some of the nuisance applications:
92
93                       #ADDRESS/SUBNET         PROTOCOL        PORT
94                       -                       udp             1024:1033,1434
95                       -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
96

FILES

98       /etc/shorewall6/blacklist
99

SEE ALSO

101       http://shorewall.net/blacklisting_support.htm
102
103       shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
104       shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
105       shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
106       shorewall6-route_rules(5), shorewall6-routestopped(5),
107       shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
108       shorewall6-tcclasses(5), shorewall6-tcdevices(5),
109       shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
110       shorewall6-zones(5)
111

NOTES

113        1. shorewall6-exclusion
114           http://www.shorewall.net/manpages6/shorewall6-exclusion.html
115
116        2. shorewall6-interfaces
117           http://www.shorewall.net/manpages6/shorewall6-interfaces.html
118
119        3. shorewall6-zones
120           http://www.shorewall.net/manpages6/shorewall-zones.html
121
122        4. shorewall6-interfaces
123           http://www.shorewall.net/manpages6/shorewall-interfaces.html
124
125        5. shorewall6.conf
126           http://www.shorewall.net/manpages6/shorewall.conf.html
127
128
129
130[FIXME: source]                   09/16/2011            SHOREWALL6-BLACKLIS(5)
Impressum