Provided by: shorewall_4.4.26.1-1_all bug

NAME

       blacklist - Shorewall Blacklist file

SYNOPSIS

       /etc/shorewall/blacklist

DESCRIPTION

       The blacklist file is used to perform static blacklisting. You can
       blacklist by source address (IP or MAC), or by application.

       The columns in the file are as follows (where the column name is
       followed by a different name in parentheses, the different name is used
       in the alternate specification syntax).

       ADDRESS/SUBNET (networks) -
       {-|~mac-address|ip-address|address-range|+ipset}
           Host address, network address, MAC address, IP address range (if
           your kernel and iptables contain iprange match support) or ipset
           name prefaced by "+" (if your kernel supports ipset match).
           Exclusion (shorewall-exclusion[1](5)) is supported.

           MAC addresses must be prefixed with "~" and use "-" as a separator.

           Example: ~00-A0-C9-15-39-78

           A dash ("-") in this column means that any source address will
           match. This is useful if you want to blacklist a particular
           application using entries in the PROTOCOL and PORTS columns.

       PROTOCOL (proto) - {-|[!]protocol-number|[!]protocol-name}
           Optional - If specified, must be a protocol number or a protocol
           name from protocols(5).

       PORTS - {-|[!]port-name-or-number[,port-name-or-number]...}
           Optional - may only be specified if the protocol is TCP (6) or UDP
           (17). A comma-separated list of destination port numbers or service
           names from services(5).

       OPTIONS - {-|{dst|src|whitelist|audit}[,...]}
           Optional - added in 4.4.12. If specified, indicates whether traffic
           from ADDRESS/SUBNET (src) or traffic to ADDRESS/SUBNET (dst) should
           be blacklisted. The default is src. If the ADDRESS/SUBNET column is
           empty, then this column has no effect on the generated rule.

               Note
               In Shorewall 4.4.12, the keywords from and to were used in
               place of src and dst respectively. Blacklisting was still
               restricted to traffic arriving on an interface that has the
               'blacklist' option set. So to block traffic from your local
               network to an internet host, you had to specify blacklist on
               your internal interface in shorewall-interfaces[2] (5).

               Note
               Beginning with Shorewall 4.4.13, entries are applied based on
               the blacklist setting in shorewall-zones[3](5):

                1. 'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
                   from this zone is passed against the entries in this file
                   that have the src option (specified or defaulted).

                2. 'blacklist' in the OPTIONS or OUT_OPTIONS column. Traffic
                   to this zone is passed against the entries in this file
                   that have the dst option.
           In Shorewall 4.4.20, the whitelist option was added. When whitelist
           is specified, packets/connections that match the entry are not
           matched against the remaining entries in the file.

           The audit option was also added in 4.4.20 and causes packets
           matching the entry to be audited. The audit option may not be
           specified in whitelist entries and require AUDIT_TARGET support in
           the kernel and iptables.

EXAMPLE

       Example 1:
           To block DNS queries from address 192.0.2.126:

                       #ADDRESS/SUBNET         PROTOCOL        PORT
                       192.0.2.126             udp             53

       Example 2:
           To block some of the nuisance applications:

                       #ADDRESS/SUBNET         PROTOCOL        PORT
                       -                       udp             1024:1033,1434
                       -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898

FILES

       /etc/shorewall/blacklist

SEE ALSO

       http://shorewall.net/blacklisting_support.htm

       http://shorewall.net/configuration_file_basics.htm#Pairs

       shorewall(8), shorewall-accounting(5), shorewall-actions(5),
       shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
       shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
       shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
       shorewall-providers(5), shorewall-proxyarp(5),
       shorewall-route_rules(5), shorewall-routestopped(5),
       shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
       shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
       shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)

NOTES

        1. shorewall-exclusion
           http://www.shorewall.net/manpages/shorewall-exclusion.html

        2. shorewall-interfaces
           http://www.shorewall.net/manpages/shorewall-interfaces.html

        3. shorewall-zones
           http://www.shorewall.net/manpages/shorewall-zones.html

[FIXME: source]                   12/13/2011            SHOREWALL-BLACKLIST(5)