From c9f008aac737a6a102c1adf361733132ded70d15 Mon Sep 17 00:00:00 2001
From: Eduardo Diaz <ediaz@pk25.com>
Date: Thu, 5 Jun 2025 11:09:21 +0200
Subject: [PATCH] Update shorewall.conf

add more options to shorewall and enable the use of ipset
---
 config/action.d/shorewall.conf | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/config/action.d/shorewall.conf b/config/action.d/shorewall.conf
index 83d08d99..31935269 100644
--- a/config/action.d/shorewall.conf
+++ b/config/action.d/shorewall.conf
@@ -12,7 +12,11 @@
 # file should be modified with "BLACKLISTNEWONLY=No". Note that as of
 # Shorewall 4.5.13 BLACKLISTNEWONLY is deprecated; however the equivalent
 # of BLACKLISTNEWONLY=No can now be achieved by setting BLACKLIST="ALL".
-# 
+# you can check the list using "shorewall show bl"
+#
+# Enabling using ipset for shorewall on a single list is a more easy and more efective
+# change blocktype = blacklist
+# enable on shorewall.comf to "DYNAMIC_BLACKLIST=ipset,disconnect,timeout=0"  
 
 [Definition]
 
@@ -60,9 +64,9 @@ family =
 
 # Option:  blocktype
 # Note:    This is what the action does with rules.
-#          See man page of shorewall for options that include drop, logdrop, reject, or logreject
+#          See man page of shorewall for options that include drop, logdrop, reject, blacklist, or logreject
 # Values:  STRING
-blocktype = reject
+blocktype = blacklist
 
 [Init?family=inet6]