{"id":4426,"date":"2022-12-20T17:49:16","date_gmt":"2022-12-20T20:49:16","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/shorewallblrules-man5\/"},"modified":"2022-12-20T17:49:16","modified_gmt":"2022-12-20T20:49:16","slug":"shorewallblrules-man5","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/shorewallblrules-man5\/","title":{"rendered":"SHOREWALL−BLRULES (man5)"},"content":{"rendered":"

SHOREWALL\u2212BLRULES<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
EXAMPLES<\/a>
FILES<\/a>
SEE ALSO<\/a>
NOTES<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

blrules \u2212 shorewall Blacklist file<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

\/etc\/shorewall[6]\/blrules<\/b><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

This file is used to perform blacklisting and whitelisting.<\/p>\n

Rules in this file are applied depending on the setting of BLACKLIST in shorewall.conf<\/font><\/b> [1]<\/font><\/small> (5).<\/font><\/p>\n

The format of rules in this file is the same as the format of rules in<\/font> shorewall\u2212rules (5)<\/font><\/b> [2]<\/font><\/small> . The difference in the two files lies in the ACTION (first) column.<\/font><\/p>\n

ACTION\u2212 {ACCEPT|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|WHITELIST|LOG|QUEUE|NFQUEUE[(<\/b>queuenumber<\/i>)]|[?]COMMENT|<\/b>action<\/i>|<\/b>macro<\/i>[(<\/b>target<\/i>)]}[:{<\/b>log\u2212level<\/i>|none}[!][:<\/b>tag<\/i>]]<\/b><\/font><\/p>\n

Specifies the action to be taken if the packet matches the rule. Must be one of the following.<\/font><\/p>\n

BLACKLIST<\/b><\/font><\/p>\n

Added in Shorewall 4.5.3. This is actually a macro that expands as follows:<\/font><\/p>\n

\u2022 If BLACKLIST_LOGLEVEL is specified in<\/font> shorewall.conf<\/font><\/b> [1]<\/font><\/small> (5), then the macro expands to blacklog<\/b>.<\/font><\/p>\n

\u2022 Otherwise it expands to the action specified for BLACKLIST_DISPOSITION in<\/font> shorewall.conf<\/font><\/b> [1]<\/font><\/small> (5).<\/font><\/p>\n

blacklog<\/b><\/font><\/p>\n

May only be used if BLACKLIST_LOGLEVEL is specified in<\/font> shorewall.conf<\/font><\/b> [1]<\/font><\/small> (5). Logs, audits (if specified) and applies the BLACKLIST_DISPOSITION specified in<\/font> shorewall.conf<\/font><\/b> [1]<\/font><\/small> (5).<\/font><\/p>\n

ACCEPT|CONTINUE|WHITELIST<\/b><\/font><\/p>\n

Exempt the packet from the remaining rules in this file.<\/font><\/p>\n

DROP<\/b><\/font><\/p>\n

Ignore the packet.<\/font><\/p>\n

A_DROP<\/font><\/p>\n

Audited version of DROP. Requires AUDIT_TARGET support in the kernel and ip6tables.<\/font><\/p>\n

REJECT<\/b><\/font><\/p>\n

disallow the packet and return an icmp\u2212unreachable or an RST packet.<\/font><\/p>\n

A_REJECT<\/font><\/p>\n

Audited versions of REJECT. Require AUDIT_TARGET support in the kernel and ip6tables.<\/font><\/p>\n

LOG<\/b><\/font><\/p>\n

Simply log the packet and continue with the next rule.<\/font><\/p>\n

QUEUE<\/b><\/font><\/p>\n

Queue the packet to a user\u2212space application such as ftwall (http:\/\/p2pwall.sf.net). The application may reinsert the packet for further processing.<\/font><\/p>\n

NFLOG<\/b>[(nflog\u2212parameters<\/i>)]<\/font><\/p>\n

queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule. See<\/font> shorewall\u2212logging(5)<\/font><\/b> [3]<\/font><\/small> .<\/font><\/p>\n

NFQUEUE<\/b><\/font><\/p>\n

Queues the packet to a user\u2212space application using the nfnetlink_queue mechanism. If a queuenumber<\/i> is not specified, queue zero (0) is assumed.<\/font><\/p>\n

?COMMENT<\/b><\/font><\/p>\n

The rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by “\/* … *\/” in the output of “shorewall show “. To stop the comment from being attached to further rules, simply include ?COMMENT on a line by itself.<\/font><\/p>\n

action<\/i><\/font><\/p>\n

The name of an action<\/i> declared in<\/font> shorewall\u2212actions<\/font><\/b> [4]<\/font><\/small> (5) or in \/usr\/share\/shorewall\/actions.std.<\/font><\/p>\n

macro<\/i><\/font><\/p>\n

The name of a macro defined in a file named macro.macro<\/i>. If the macro accepts an action parameter (Look at the macro source to see if it has PARAM in the TARGET column) then the macro<\/i> name is followed by the parenthesized target<\/i> (ACCEPT<\/b>, DROP<\/b>, REJECT<\/b>, …) to be substituted for the parameter.<\/font><\/p>\n

Example: FTP(ACCEPT).<\/font><\/p>\n

The ACTION<\/b> may optionally be followed by “:” and a syslog log level (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at the specified level.<\/font><\/p>\n

If the ACTION<\/b> names an action<\/i> declared in<\/font> shorewall\u2212actions<\/font><\/b> [4]<\/font><\/small> (5) or in \/usr\/share\/shorewall\/actions.std then:<\/font><\/p>\n

\u2022 If the log level is followed by “!’ then all rules in the action are logged at the log level.<\/font><\/p>\n

\u2022 If the log level is not followed by “!” then only those rules in the action that do not specify logging are logged at the specified level.<\/font><\/p>\n

\u2022 The special log level none!<\/b> suppresses logging by the action.<\/font><\/p>\n

You may also specify NFLOG<\/b> (must be in upper case) as a log level.This will log to the NFLOG target for routing to a separate log through use of ulogd (<\/font>shorewall\u2212logging.htm<\/font><\/b> [3]<\/font><\/small> ).<\/font><\/p>\n

Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in<\/font> shorewall.conf<\/font><\/b> [1]<\/font><\/small> (5)).<\/font><\/p>\n

For the remaining columns, see<\/font> shorewall\u2212rules (5)<\/font><\/b> [2]<\/font><\/small> .<\/font><\/p>\n

EXAMPLES <\/a> <\/h2>\n

IPv4 Example 1:<\/font><\/p>\n

Drop 6to4 packets from the net.<\/font><\/p>\n

DROP net:192.88.99.1 all<\/font><\/p>\n

IPv4 Example 2:<\/font><\/p>\n

Don’t subject packets from 70.90.191.120\/29 to the remaining rules in the file.<\/font><\/p>\n

WHITELIST net:70.90.191.120\/29 all<\/font><\/p>\n

IPv6 Example 1:<\/font><\/p>\n

Drop Teredo packets from the net.<\/font><\/p>\n

DROP net:[2001::\/32] all<\/font><\/p>\n

IPv6 Example 2:<\/font><\/p>\n

Don’t subject packets from 2001:DB8::\/64 to the remaining rules in the file.<\/font><\/p>\n

WHITELIST net:[2001:DB8::\/64] all<\/font><\/p>\n

FILES <\/a> <\/h2>\n

\/etc\/shorewall\/blrules<\/font><\/p>\n

\/etc\/shorewall6\/blrules<\/font><\/p>\n

SEE ALSO <\/a> <\/h2>\n

https:\/\/shorewall.org\/blacklisting_support.htm<\/font><\/b> [5]<\/font><\/small><\/p>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/b> [6]<\/font><\/small><\/p>\n

shorewall(8)<\/font><\/p>\n

NOTES <\/a> <\/h2>\n\n\n
<\/td>\n\n

1.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall.conf<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall.conf.html<\/font><\/p>\n\n\n
<\/td>\n\n

2.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-rules (5)<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-rules.html<\/font><\/p>\n\n\n
<\/td>\n\n

3.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-logging(5)<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-logging.html<\/font><\/p>\n\n\n
<\/td>\n\n

4.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

shorewall-actions<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/manpages\/shorewall-actions.html<\/font><\/p>\n\n\n
<\/td>\n\n

5.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/blacklisting_support.htm<\/font><\/p>\n<\/td>\n

 <\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/blacklisting_support.htm<\/font><\/p>\n\n\n
<\/td>\n\n

6.<\/font><\/p>\n<\/td>\n

<\/td>\n\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/p>\n<\/td>\n<\/tr>\n<\/table>\n

https:\/\/shorewall.org\/configuration_file_basics.htm#Pairs<\/font><\/p>\n

\n","protected":false},"excerpt":{"rendered":"

blrules \u2212 shorewall Blacklist file <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[959],"tags":[961,1291,1417],"class_list":["post-4426","post","type-post","status-publish","format-standard","hentry","category-5-formatos-de-ficheros","tag-961","tag-man5","tag-shorewall-blrules"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4426","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=4426"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/4426\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=4426"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=4426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=4426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}