1SHOREWALL-BLRULES(5)          Configuration Files         SHOREWALL-BLRULES(5)
2
3
4

NAME

6       blrules - shorewall Blacklist file
7

SYNOPSIS

9       /etc/shorewall[6]/blrules
10

DESCRIPTION

12       This file is used to perform blacklisting and whitelisting.
13
14       Rules in this file are applied depending on the setting of BLACKLIST in
15       shorewall.conf[1](5).
16
17       The format of rules in this file is the same as the format of rules in
18       shorewall-rules (5)[2]. The difference in the two files lies in the
19       ACTION (first) column.
20
21       ACTION-
22       {ACCEPT|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|WHITELIST|LOG|QUEUE|NFQUEUE[(queuenumber)]|[?]COMMENT|action|macro[(target)]}[:{log-level|none}[!][:tag]]
23           Specifies the action to be taken if the packet matches the rule.
24           Must be one of the following.
25
26           BLACKLIST
27               Added in Shorewall 4.5.3. This is actually a macro that expands
28               as follows:
29
30               •   If BLACKLIST_LOGLEVEL is specified in shorewall.conf[1](5),
31                   then the macro expands to blacklog.
32
33               •   Otherwise it expands to the action specified for
34                   BLACKLIST_DISPOSITION in shorewall.conf[1](5).
35
36           blacklog
37               May only be used if BLACKLIST_LOGLEVEL is specified in
38               shorewall.conf[1](5). Logs, audits (if specified) and applies
39               the BLACKLIST_DISPOSITION specified in shorewall.conf[1] (5).
40
41           ACCEPT|CONTINUE|WHITELIST
42               Exempt the packet from the remaining rules in this file.
43
44           DROP
45               Ignore the packet.
46
47           A_DROP
48               Audited version of DROP. Requires AUDIT_TARGET support in the
49               kernel and ip6tables.
50
51           REJECT
52               disallow the packet and return an icmp-unreachable or an RST
53               packet.
54
55           A_REJECT
56               Audited versions of REJECT. Require AUDIT_TARGET support in the
57               kernel and ip6tables.
58
59           LOG
60               Simply log the packet and continue with the next rule.
61
62           QUEUE
63               Queue the packet to a user-space application such as ftwall
64               (http://p2pwall.sf.net). The application may reinsert the
65               packet for further processing.
66
67           NFLOG[(nflog-parameters)]
68               queues matching packets to a back end logging daemon via a
69               netlink socket then continues to the next rule. See
70               shorewall-logging(5)[3].
71
72           NFQUEUE
73               Queues the packet to a user-space application using the
74               nfnetlink_queue mechanism. If a queuenumber is not specified,
75               queue zero (0) is assumed.
76
77           ?COMMENT
78               The rest of the line will be attached as a comment to the
79               Netfilter rule(s) generated by the following entries. The
80               comment will appear delimited by "/* ... */" in the output of
81               "shorewall show <chain>". To stop the comment from being
82               attached to further rules, simply include ?COMMENT on a line by
83               itself.
84
85           action
86               The name of an action declared in shorewall-actions[4](5) or in
87               /usr/share/shorewall/actions.std.
88
89           macro
90               The name of a macro defined in a file named macro.macro. If the
91               macro accepts an action parameter (Look at the macro source to
92               see if it has PARAM in the TARGET column) then the macro name
93               is followed by the parenthesized target (ACCEPT, DROP, REJECT,
94               ...) to be substituted for the parameter.
95
96               Example: FTP(ACCEPT).
97
98           The ACTION may optionally be followed by ":" and a syslog log level
99           (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to
100           be logged at the specified level.
101
102           If the ACTION names an action declared in shorewall-actions[4](5)
103           or in /usr/share/shorewall/actions.std then:
104
105           •   If the log level is followed by "!' then all rules in the
106               action are logged at the log level.
107
108           •   If the log level is not followed by "!" then only those rules
109               in the action that do not specify logging are logged at the
110               specified level.
111
112           •   The special log level none!  suppresses logging by the action.
113
114           You may also specify NFLOG (must be in upper case) as a log
115           level.This will log to the NFLOG target for routing to a separate
116           log through use of ulogd (shorewall-logging.htm[3]).
117
118           Actions specifying logging may be followed by a log tag (a string
119           of alphanumeric characters) which is appended to the string
120           generated by the LOGPREFIX (in shorewall.conf[1](5)).
121
122       For the remaining columns, see shorewall-rules (5)[2].
123

EXAMPLES

125       IPv4 Example 1:
126           Drop 6to4 packets from the net.
127
128               DROP          net:192.88.99.1            all
129
130       IPv4 Example 2:
131           Don't subject packets from 70.90.191.120/29 to the remaining rules
132           in the file.
133
134               WHITELIST     net:70.90.191.120/29       all
135
136       IPv6 Example 1:
137           Drop Teredo packets from the net.
138
139               DROP          net:[2001::/32]            all
140
141       IPv6 Example 2:
142           Don't subject packets from 2001:DB8::/64 to the remaining rules in
143           the file.
144
145               WHITELIST     net:[2001:DB8::/64]        all
146

FILES

148       /etc/shorewall/blrules
149
150       /etc/shorewall6/blrules
151

SEE ALSO

153       https://shorewall.org/blacklisting_support.htm[5]
154
155       https://shorewall.org/configuration_file_basics.htm#Pairs[6]
156
157       shorewall(8)
158

NOTES

160        1. shorewall.conf
161           https://shorewall.org/manpages/shorewall.conf.html
162
163        2. shorewall-rules (5)
164           https://shorewall.org/manpages/shorewall-rules.html
165
166        3. shorewall-logging(5)
167           https://shorewall.org/manpages/shorewall-logging.html
168
169        4. shorewall-actions
170           https://shorewall.org/manpages/shorewall-actions.html
171
172        5. https://shorewall.org/blacklisting_support.htm
173           https://shorewall.org/blacklisting_support.htm
174
175        6. https://shorewall.org/configuration_file_basics.htm#Pairs
176           https://shorewall.org/configuration_file_basics.htm#Pairs
177
178
179
180Configuration Files               09/24/2020              SHOREWALL-BLRULES(5)
Impressum