NAME

       blacklist - shorewall6 Blacklist file

SYNOPSIS

       /etc/shorewall6/blacklist

DESCRIPTION

       The blacklist file is used to perform static blacklisting by source address (IP or MAC),
       or by application. The use of this file is deprecated in favor of
       shorewall6-blrules[1](5), and beginning with Shorewall 4.5.7, the blacklist file is no
       longer installed. Existing blacklist files can be converted to a corresponding blrules
       file using the shorewall6 update -b command.

       The columns in the file are as follows (where the column name is followed by a different
       name in parentheses, the different name is used in the alternate specification syntax).

       ADDRESS/SUBNET - {-|~mac-address|ip-address|address-range|+ipset}
           Host address, network address, MAC address, IP address range (if your kernel and
           ip6tables contain iprange match support) or ipset name prefaced by "+" (if your kernel
           supports ipset match). Exclusion (shorewall6-exclusion[2](5)) is supported.

           MAC addresses must be prefixed with "~" and use "-" as a separator.

           Example: ~00-A0-C9-15-39-78

           A dash ("-") in this column means that any source address will match. This is useful
           if you want to blacklist a particular application using entries in the PROTOCOL and
           PORTS columns.

       PROTOCOL (proto) - {-|protocol-number|protocol-name}
           Optional - if specified, must be a protocol number or a protocol name from
           protocols(5).

       PORTS (port) - {-|port-name-or-number[,port-name-or-number]...}
           May only be specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or
           UDPLITE (136). A comma-separated list of destination port numbers or service names
           from services(5).

       OPTIONS - {-|{dst|src|whitelist|audit}[,...]}
           Optional - added in 4.4.12. If specified, indicates whether traffic from
           ADDRESS/SUBNET (src) or traffic to ADDRESS/SUBNET (dst) should be blacklisted. The
           default is src. If the ADDRESS/SUBNET column is empty, then this column has no effect
           on the generated rule.

               Note
               In Shorewall 4.4.12, the keywords from and to were used in place of src and dst
               respectively. Blacklisting was still restricted to traffic arriving on an
               interface that has the 'blacklist' option set. So to block traffic from your local
               network to an internet host, you had to specify blacklist on your internal
               interface in shorewall6-interfaces[3] (5).

               Note
               Beginning with Shorewall 4.4.13, entries are applied based on the blacklist
               setting in shorewall6-zones[4](5):

                1. 'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic from this zone is
                   passed against the entries in this file that have the src option (specified or
                   defaulted).

                2. 'blacklist' in the OPTIONS or OUT_OPTIONS column. Traffic to this zone is
                   passed against the entries in this file that have the dst option.
           In Shorewall 4.4.20, the whitelist option was added. When whitelist is specified,
           packets/connections that match the entry are not matched against the remaining entries
           in the file.

           The audit option was also added in 4.4.20 and causes packets matching the entry to be
           audited. The audit option may not be specified in whitelist entries and require
           AUDIT_TARGET support in the kernel and ip6tables.

       When a packet arrives on an interface that has the blacklist option specified in
       shorewall6-interfaces[5](5), its source IP address and MAC address is checked against this
       file and disposed of according to the BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
       variables in shorewall6.conf[6](5). If PROTOCOL or PROTOCOL and PORTS are supplied, only
       packets matching the protocol (and one of the ports if PORTS supplied) are blocked.

EXAMPLE

       Example 1:
           To block DNS queries from address fe80::2a0:ccff:fedb:31c4:

                       #ADDRESS/SUBNET            PROTOCOL        PORT
                       fe80::2a0:ccff:fedb:31c4/  udp             53

       Example 2:
           To block some of the nuisance applications:

                       #ADDRESS/SUBNET         PROTOCOL        PORT
                       -                       udp             1024:1033,1434
                       -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898

FILES

       /etc/shorewall6/blacklist

SEE ALSO

       http://shorewall.net/blacklisting_support.htm

       http://shorewall.net/configuration_file_basics.htm#Pairs

       shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-hosts(5),
       shorewall6-interfaces(5), shorewall6-maclist(5),
       shorewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
       shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
       shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
       shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
       shorewall6-zones(5)

NOTES

        1. shorewall6-blrules
           http://www.shorewall.netshorewall6-blrules.html

        2. shorewall6-exclusion
           http://www.shorewall.netshorewall6-exclusion.html

        3. shorewall6-interfaces
           http://www.shorewall.netshorewall6-interfaces.html

        4. shorewall6-zones
           http://www.shorewall.netshorewall-zones.html

        5. shorewall6-interfaces
           http://www.shorewall.netshorewall-interfaces.html

        6. shorewall6.conf
           http://www.shorewall.netshorewall.conf.html

[FIXME: source]                             01/30/2014                     SHOREWALL6-BLACKLIS(5)