From c9f008aac737a6a102c1adf361733132ded70d15 Mon Sep 17 00:00:00 2001 From: Eduardo Diaz Date: Thu, 5 Jun 2025 11:09:21 +0200 Subject: [PATCH] Update shorewall.conf add more options to shorewall and enable the use of ipset --- config/action.d/shorewall.conf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/config/action.d/shorewall.conf b/config/action.d/shorewall.conf index 83d08d99..31935269 100644 --- a/config/action.d/shorewall.conf +++ b/config/action.d/shorewall.conf @@ -12,7 +12,11 @@ # file should be modified with "BLACKLISTNEWONLY=No". Note that as of # Shorewall 4.5.13 BLACKLISTNEWONLY is deprecated; however the equivalent # of BLACKLISTNEWONLY=No can now be achieved by setting BLACKLIST="ALL". -# +# you can check the list using "shorewall show bl" +# +# Enabling using ipset for shorewall on a single list is a more easy and more efective +# change blocktype = blacklist +# enable on shorewall.comf to "DYNAMIC_BLACKLIST=ipset,disconnect,timeout=0" [Definition] @@ -60,9 +64,9 @@ family = # Option: blocktype # Note: This is what the action does with rules. -# See man page of shorewall for options that include drop, logdrop, reject, or logreject +# See man page of shorewall for options that include drop, logdrop, reject, blacklist, or logreject # Values: STRING -blocktype = reject +blocktype = blacklist [Init?family=inet6]