Your message dated Tue, 1 Mar 2011 16:30:47 -0500
with message-id <[email protected]>
and subject line Re: Bug#615651: Wishlist: using a shorewall protected computer
for a logserver
has caused the Debian Bug report #615651,
regarding Wishlist: using a shorewall protected computer for a logserver
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
615651: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615651
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: shorewall
Version: 4.4.17-1
Severity: wishlist
I looked around the shorewall site a bit (possibly not long enough).
I've got a computer protected by shorewall on a LAN. However, in
terms of shorewall rules, my router/firewall is net (it is the same
as the Internet).
I am wanting to accept syslog messages from my router/firewall.
Which seems doable with a rule of
Syslog(ACCEPT) net(192.168.1.1) $FW
But really, my IP address is provided by the router/firewall via DHCPD
on the router/firewall. There could easily be other things that a
computer wants to accept from the IP if gets its IP from. Perhaps
something like
Syslog(ACCEPT) net($DHCP) $FW
works?
Sometimes people want a stealth logserver, it is NOT the intended recipient
of Syslog messages, but because its NIC is in promiscuous mode, it can grab
those messages as well.
It would be nice if there was an "easy" way to have shorewall, accept syslog
from a router/firewall. I suspect some people might also find it useful for
some way to accept Syslog on an anonymous (stealth) logserver.
Just an idea. Maybe a real implementation has to be different?
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.32 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages shorewall depends on:
ii bc 1.06.95-2 The GNU bc arbitrary precision cal
ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy
ii iproute 20110107-2 networking and traffic control too
ii iptables 1.4.10-1 administration tools for packet fi
ii perl-modules 5.10.1-17 Core Perl modules
shorewall recommends no packages.
Versions of packages shorewall suggests:
ii linux-image-2.6.32 [linux-ima newmain.2 Linux kernel binary image for vers
ii linux-image-2.6.35 [linux-ima newmain.1 Linux kernel binary image for vers
ii make 3.81-8 An utility for Directing compilati
ii shorewall-doc 4.4.17-1 documentation for Shoreline Firewa
-- Configuration Files:
/etc/default/shorewall changed:
startup=1
OPTIONS=""
/etc/shorewall/shorewall.conf changed:
STARTUP_ENABLED=Yes
VERBOSITY=1
LOGFILE=/var/log/messages
STARTUP_LOG=/var/log/shorewall-init.log
LOG_VERBOSITY=2
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT=
LOGALLNEW=
BLACKLIST_LOGLEVEL=
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=Yes
IPTABLES=
IP=
TC=
IPSET=
PERL=/usr/bin/perl
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
MODULE_SUFFIX=ko
DISABLE_IPV6=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
NULL_ROUTE_RFC1918=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=No
HIGH_ROUTE_MARKS=No
OPTIMIZE=0
EXPORTPARAMS=No
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
AUTO_COMMENT=Yes
MANGLE_ENABLED=Yes
USE_DEFAULT_RT=No
RESTORE_DEFAULT_ROUTE=Yes
AUTOMAKE=No
WIDE_TC_MARKS=No
TRACK_PROVIDERS=No
ZONE2ZONE=2
ACCOUNTING=Yes
DYNAMIC_BLACKLIST=Yes
OPTIMIZE_ACCOUNTING=No
LOAD_HELPERS_ONLY=No
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=
COMPLETE=No
EXPORTMODULES=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
-- debconf information:
shorewall/upgrade_20_22:
shorewall/upgrade_14_20:
shorewall/upgrade_to_14:
shorewall/warnrfc1918:
shorewall/invalid_config:
shorewall/warn_about_klogd_floods:
shorewall/dont_restart:
shorewall/major_release:
--- End Message ---
--- Begin Message ---
On Sun, Feb 27, 2011 at 04:29:29PM -0700, Gordon Haverland wrote:
> Package: shorewall
> Version: 4.4.17-1
> Severity: wishlist
>
> I looked around the shorewall site a bit (possibly not long enough).
> I've got a computer protected by shorewall on a LAN. However, in
> terms of shorewall rules, my router/firewall is net (it is the same
> as the Internet).
>
> I am wanting to accept syslog messages from my router/firewall.
> Which seems doable with a rule of
> Syslog(ACCEPT) net(192.168.1.1) $FW
>
> But really, my IP address is provided by the router/firewall via DHCPD
> on the router/firewall. There could easily be other things that a
> computer wants to accept from the IP if gets its IP from. Perhaps
> something like
> Syslog(ACCEPT) net($DHCP) $FW
> works?
>
This makes no sense. You can just params, which Shorewall already has.
> Sometimes people want a stealth logserver, it is NOT the intended recipient
> of Syslog messages, but because its NIC is in promiscuous mode, it can grab
> those messages as well.
>
> It would be nice if there was an "easy" way to have shorewall, accept syslog
> from a router/firewall. I suspect some people might also find it useful for
> some way to accept Syslog on an anonymous (stealth) logserver.
>
This can already be done, as you point out, by putting the interface in
promiscuous mode. From a Shorewall perspective, a simple Syslog/ACCEPT
statement would then let you receive all the syslog packets you may
want.
As this is clearly not a bug, I am closing.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
signature.asc
Description: Digital signature
--- End Message ---
