1SHOREWALL-BLRULES(5) Configuration Files SHOREWALL-BLRULES(5)
2
3
4
6 blrules - shorewall Blacklist file
7
9 /etc/shorewall[6]/blrules
10
12 This file is used to perform blacklisting and whitelisting.
13
14 Rules in this file are applied depending on the setting of BLACKLIST in
15 shorewall.conf[1](5).
16
17 The format of rules in this file is the same as the format of rules in
18 shorewall-rules (5)[2]. The difference in the two files lies in the
19 ACTION (first) column.
20
21 ACTION-
22 {ACCEPT|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|WHITELIST|LOG|QUEUE|NFQUEUE[(queuenumber)]|[?]COMMENT|action|macro[(target)]}[:{log-level|none}[!][:tag]]
23 Specifies the action to be taken if the packet matches the rule.
24 Must be one of the following.
25
26 BLACKLIST
27 Added in Shorewall 4.5.3. This is actually a macro that expands
28 as follows:
29
30 · If BLACKLIST_LOGLEVEL is specified in shorewall.conf[1](5),
31 then the macro expands to blacklog.
32
33 · Otherwise it expands to the action specified for
34 BLACKLIST_DISPOSITION in shorewall.conf[1](5).
35
36 blacklog
37 May only be used if BLACKLIST_LOGLEVEL is specified in
38 shorewall.conf[1](5). Logs, audits (if specified) and applies
39 the BLACKLIST_DISPOSITION specified in shorewall.conf[1] (5).
40
41 ACCEPT|CONTINUE|WHITELIST
42 Exempt the packet from the remaining rules in this file.
43
44 DROP
45 Ignore the packet.
46
47 A_DROP
48 Audited version of DROP. Requires AUDIT_TARGET support in the
49 kernel and ip6tables.
50
51 REJECT
52 disallow the packet and return an icmp-unreachable or an RST
53 packet.
54
55 A_REJECT
56 Audited versions of REJECT. Require AUDIT_TARGET support in the
57 kernel and ip6tables.
58
59 LOG
60 Simply log the packet and continue with the next rule.
61
62 QUEUE
63 Queue the packet to a user-space application such as ftwall
64 (http://p2pwall.sf.net). The application may reinsert the
65 packet for further processing.
66
67 NFLOG[(nflog-parameters)]
68 queues matching packets to a back end logging daemon via a
69 netlink socket then continues to the next rule. See
70 shorewall-logging(5)[3].
71
72 NFQUEUE
73 Queues the packet to a user-space application using the
74 nfnetlink_queue mechanism. If a queuenumber is not specified,
75 queue zero (0) is assumed.
76
77 ?COMMENT
78 The rest of the line will be attached as a comment to the
79 Netfilter rule(s) generated by the following entries. The
80 comment will appear delimited by "/* ... */" in the output of
81 "shorewall show <chain>". To stop the comment from being
82 attached to further rules, simply include ?COMMENT on a line by
83 itself.
84
85 action
86 The name of an action declared in shorewall-actions[4](5) or in
87 /usr/share/shorewall/actions.std.
88
89 macro
90 The name of a macro defined in a file named macro.macro. If the
91 macro accepts an action parameter (Look at the macro source to
92 see if it has PARAM in the TARGET column) then the macro name
93 is followed by the parenthesized target (ACCEPT, DROP, REJECT,
94 ...) to be substituted for the parameter.
95
96 Example: FTP(ACCEPT).
97
98 The ACTION may optionally be followed by ":" and a syslog log level
99 (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
100 be logged at the specified level.
101
102 If the ACTION names an action declared in shorewall-actions[4](5)
103 or in /usr/share/shorewall/actions.std then:
104
105 · If the log level is followed by "!' then all rules in the
106 action are logged at the log level.
107
108 · If the log level is not followed by "!" then only those rules
109 in the action that do not specify logging are logged at the
110 specified level.
111
112 · The special log level none! suppresses logging by the action.
113
114 You may also specify NFLOG (must be in upper case) as a log
115 level.This will log to the NFLOG target for routing to a separate
116 log through use of ulogd (shorewall-logging.htm[3]).
117
118 Actions specifying logging may be followed by a log tag (a string
119 of alphanumeric characters) which is appended to the string
120 generated by the LOGPREFIX (in shorewall.conf[1](5)).
121
122 For the remaining columns, see shorewall-rules (5)[2].
123
125 IPv4 Example 1:
126 Drop 6to4 packets from the net.
127
128 DROP net:192.88.99.1 all
129
130 IPv4 Example 2:
131 Don't subject packets from 70.90.191.120/29 to the remaining rules
132 in the file.
133
134 WHITELIST net:70.90.191.120/29 all
135
136 IPv6 Example 1:
137 Drop Teredo packets from the net.
138
139 DROP net:[2001::/32] all
140
141 IPv6 Example 2:
142 Don't subject packets from 2001:DB8::/64 to the remaining rules in
143 the file.
144
145 WHITELIST net:[2001:DB8::/64] all
146
148 /etc/shorewall/blrules
149
150 /etc/shorewall6/blrules
151
153 https://shorewall.org/blacklisting_support.htm[5]
154
155 https://shorewall.org/configuration_file_basics.htm#Pairs[6]
156
157 shorewall(8)
158
160 1. shorewall.conf
161 https://shorewall.org/manpages/shorewall.conf.html
162
163 2. shorewall-rules (5)
164 https://shorewall.org/manpages/shorewall-rules.html
165
166 3. shorewall-logging(5)
167 https://shorewall.org/manpages/shorewall-logging.html
168
169 4. shorewall-actions
170 https://shorewall.org/manpages/shorewall-actions.html
171
172 5. https://shorewall.org/blacklisting_support.htm
173 https://shorewall.org/blacklisting_support.htm
174
175 6. https://shorewall.org/configuration_file_basics.htm#Pairs
176 https://shorewall.org/configuration_file_basics.htm#Pairs
177
178
179
180Configuration Files 07/29/2020 SHOREWALL-BLRULES(5)