blacklist — Shorewall Blacklist file




The blacklist file is used to perform static blacklisting by source address (IP or MAC), or by application. The use of this file is deprecated and beginning with Shorewall 4.5.7, the file is no longer installed.

The columns in the file are as follows (where the column name is followed by a different name in parentheses, the different name is used in the alternate specification syntax).

ADDRESS/SUBNET (networks) - {-|~mac-address|ip-address|address-range|+ipset}

Host address, network address, MAC address, IP address range (if your kernel and iptables contain iprange match support) or ipset name prefaced by "+" (if your kernel supports ipset match). Exclusion (shorewall-exclusion(5)) is supported.

MAC addresses must be prefixed with "~" and use "-" as a separator.

Example: ~00-A0-C9-15-39-78

A dash ("-") in this column means that any source address will match. This is useful if you want to blacklist a particular application using entries in the PROTOCOL and PORTS columns.

PROTOCOL (proto) - {-|[!]protocol-number|[!]protocol-name}

Optional - If specified, must be a protocol number or a protocol name from protocols(5).

PORTS - {-|[!]port-name-or-number[,port-name-or-number]...}

Optional - may only be specified if the protocol is TCP (6) or UDP (17). A comma-separated list of destination port numbers or service names from services(5).

OPTIONS - {-|{dst|src|whitelist|audit}[,...]}

Optional - added in 4.4.12. If specified, indicates whether traffic from ADDRESS/SUBNET (src) or traffic to ADDRESS/SUBNET (dst) should be blacklisted. The default is src. If the ADDRESS/SUBNET column is empty, then this column has no effect on the generated rule.


In Shorewall 4.4.12, the keywords from and to were used in place of src and dst respectively. Blacklisting was still restricted to traffic arriving on an interface that has the 'blacklist' option set. So to block traffic from your local network to an internet host, you had to specify blacklist on your internal interface in shorewall-interfaces (5).


Beginning with Shorewall 4.4.13, entries are applied based on the blacklist setting in shorewall-zones(5):

  1. 'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic from this zone is passed against the entries in this file that have the src option (specified or defaulted).

  2. 'blacklist' in the OPTIONS or OUT_OPTIONS column. Traffic to this zone is passed against the entries in this file that have the dst option.

In Shorewall 4.4.20, the whitelist option was added. When whitelist is specified, packets/connections that match the entry are not matched against the remaining entries in the file.

The audit option was also added in 4.4.20 and causes packets matching the entry to be audited. The audit option may not be specified in whitelist entries and require AUDIT_TARGET support in the kernel and iptables.


Example 1:

To block DNS queries from address

        #ADDRESS/SUBNET         PROTOCOL        PORT             udp             53
Example 2:

To block some of the nuisance applications:

        #ADDRESS/SUBNET         PROTOCOL        PORT
        -                       udp             1024:1033,1434
        -                       tcp             57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898




shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-mangle(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.0/4.2 Documentation

Current HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page