Re: [PLUG] Quick & dirty IP blocking

[Rich Freeman <r-plug@thefreemanclan.net>]

On Fri, Feb 3, 2012 at 3:42 PM, Joe Terranova <joeterranova@gmail.com> wrote:
> I would recommend checking out shorewall. It is basically a nice
> wrapper for  IPTables -- you get the power of IPtables, plus you get
> to step back a bit and figure out what you want your firewall policy
> to look like. And yes, definitely survives reboots.

Going from memory I think shorewall has a blackhole list in it - a
file where you can dump IP addresses and they'll get blocked
regardless of any other rules that are set.  It also has all the usual
stuff like ingress filtering of reserved IPs/etc.

The issues I've seen with it are:
1.  There is a modest bit of setup involved, but not too big a deal.
2.  Loading rules can be slow, as can be reloading them.
3.  IPv6 is not elegantly handled - you basically run two instances of
it with separate configurations.
4.  Even with a very simple set of user-defined rules it generates a
VERY complex set of iptables rules.  It would probably take me three
hours with a dump of them and a set of man pages and howtos to trace a
single packet through the chains.  Forget tweaking those rules
yourself after they're created by shorewall.
5.  Since the rules aren't easy to tweak, forget adding on any quick
recipes you've seen floating around like the ones in this email chain
or adding stuff like QoS/etc.  Shorewall does provide its own support
for some of these things.  Look at it like this - use shorewall, or
roll your own, but never mix the two.

Of all the options out there, I'd probably still consider it one of my
first choices for a linux-based firewall.

Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug