Take control of your SHOREWALL FW.


I purpose you into this article to configure and improve power of SHOREWALL via my script’s. I write it to control and block attack comming from the WEB and also i need some Firewall Log history into a MYSQL DB.

I’ve develop this little system with PHP/BASH/GEOIP libs, the script use FW database to log events and also create some DROP action for few days.

The system is very simple it based on two script’s witch run via CRON regulary.
=> First script is :  the log parsor and MYSQL sync.
=> Second script is : the main system witch can view DB, request some IP, bloc some IP and view statistics.
=> The second script can also run manualy ( the CRON mode is only for attack detection and auto blacklist )

Another script can be use for GEOIP database udpate.

Note here i’m using DEBIAN LINUX in last version with SHOREWALL and MARIADB and PHP7.

1) Setup SHOREWALL log and DB parsing script.

Here you need, your SHOREWALL setup, an empty MYSQL database.

Into SHOREWALL, install « ulog » daemon and configure SHOREWALL to log, here i use :

For ulog, simply add this bloc ( /etc/ulogd.conf ) :


For SHOREWALL here is :


Of course, your SHOREWALL policy file contain directive $LOG
here i want LOG for REJECT/DROP paquet from the Internet :

znet all DROP $LOG
all all REJECT $LOG

At the end, with $LOG option.

Now you can download and install CRX-FW script you need this ZIP file here : CRX-FW-0.1
Create also directory to unzip files :

mkdir -p /opt/crx/bin/fw/

The parsor script name is, do a chmod+x on it  :  log2mysql

Configure your database by :
Create a database for the FW, import crx_fw_events.sql  and crx_fw_events_actions.sql inside.

Configure your DB user and PASSWORD for this base via the file : config.php


From SHOREWALL part, now you must have the event log (ulog) with entrie like this format :

Jun 5 11:22:44 crx-hyp01 Shorewall:znet-zfw:DROP: IN=eth0 OUT= MAC=00:24:90:a3:32:18:ec:30:91:e0:ef:c0:08:00 SRC= DST= LEN=40 TOS=00 PREC=0x00 TTL=248 ID=18378 PROTO=TCP SPT=62586 DPT=8080 SEQ=1992689042 ACK=0 WINDOW=1024 SYN URGP=0 MARK=0

Wait few minutes, to have some entries into your SHOREWALL log, after that simply launch manualy the parsor like this :

All is ok here, we can configure now WHITELIST part, CRON part will be the last step.

2) Configure the whitelist for services and IP adress, and launch the engine !

Whitelist is simple, you have a file for :

Service : whitlist_services.php
IP adress : whitlist_ip.php

Start with IP adress and put your public IP.

The format must be :


For service :


All is ok, now we can launch the main engine script   analyseAndAction  :

Without argument it look like this :

The program display the number of FW event’s in the last 30min.
Note that the ban period is 4 days, you can configure it with the config.php.

3) Configure the CRON

Here i’ve configure it like this ( you can ajust frequency depending to your SGBD configuration/capacity and server LOAD ).

5 8 * * 3 [ `date +\%d` -le 7 ] && /opt/crx/bin/update_geo.bash
*/1 * * * * /opt/wraper.sh 5 "/opt/crx/bin/fw/log2mysql" > /dev/null 2> /dev/null
*/1 * * * * /opt/wraper.sh 15 "/opt/crx/bin/fw/analyseAndAction" > /dev/null 2> /dev/null
0 */1 * * * /opt/crx/bin/fw/analyseAndAction -d 'all' > /dev/null 2> /dev/null

Note the -d ‘all’  is update all event’s inside DB and decide to UBAN some of these if needed.

Wraper.sh is a simple script to launch every XX second some task witch not possible via classic CRON.

Here is the script :

# Initialisation
if [ "$1" == "" ]; then
exit 1
next=$(date +%M | awk -v interval=$interval '{ print int($0 * 60 % interval) }')
if [ $next -gt 0 ]; then
next=$(echo $next | awk -v interval=$interval '{print interval - $0}')
for i in $(seq $next $interval 59)
(sleep $i; $2) &

4) Display info and also BAN/UBAN IP Adress :

Exemple i need top 5 country bloc by the FW :

Same for @IP ( -i « all » -l 5 ) :

You can also search by IP adress into events ( ./analyseAndAction -p 77.72.85.XX -l 5 ) :

To BAN/UBAN IP adress simply do : 

-m « @ip »      =>  DROP IP ( add event into MYSQL and call SHOREWALL DROP IP ).
-r « @IP »       =>  ALLOW IP ( remove event from MYSQL and call SHOREWALL ALLOW IP ).

Note that you can also view the FW DROP table content via :

# ./analyseAndAction -f "ip" | less

This command is the same as :

/sbin/shorewall show dynamic

That all for now,
Hope you find it usefull, all feedback is welcome !



Démarrez une conversation