SHOREWALL-BLRULES(5) | Configuration Files | SHOREWALL-BLRULES(5) |
blrules - shorewall Blacklist file
/etc/shorewall[6]/blrules
This file is used to perform blacklisting and whitelisting.
Rules in this file are applied depending on the setting of BLACKLIST in shorewall.conf[1](5).
The format of rules in this file is the same as the format of rules in shorewall-rules (5)[2]. The difference in the two files lies in the ACTION (first) column.
ACTION- {ACCEPT|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|WHITELIST|LOG|QUEUE|NFQUEUE[(queuenumber)]|[?]COMMENT|action|macro[(target)]}[:{log-level|none}[!][:tag]]
BLACKLIST
blacklog
ACCEPT|CONTINUE|WHITELIST
DROP
A_DROP
REJECT
A_REJECT
LOG
QUEUE
NFLOG[(nflog-parameters)]
NFQUEUE
?COMMENT
action
macro
Example: FTP(ACCEPT).
The ACTION may optionally be followed by ":" and a syslog log level (e.g, REJECT:info or Web(ACCEPT):debug). This causes the packet to be logged at the specified level.
If the ACTION names an action declared in shorewall-actions[4](5) or in /usr/share/shorewall/actions.std then:
You may also specify NFLOG (must be in upper case) as a log level.This will log to the NFLOG target for routing to a separate log through use of ulogd (shorewall-logging.htm[3]).
Actions specifying logging may be followed by a log tag (a string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in shorewall.conf[1](5)).
For the remaining columns, see shorewall-rules (5)[2].
IPv4 Example 1:
DROP net:192.88.99.1 all
IPv4 Example 2:
WHITELIST net:70.90.191.120/29 all
IPv6 Example 1:
DROP net:[2001::/32] all
IPv6 Example 2:
WHITELIST net:[2001:DB8::/64] all
/etc/shorewall/blrules
/etc/shorewall6/blrules
https://shorewall.org/blacklisting_support.htm[5]
https://shorewall.org/configuration_file_basics.htm#Pairs[6]
09/24/2020 | Configuration Files |