On Tue, 23 Apr 2013, Axel Rau wrote:
Am 23.04.2013 um 09:47 schrieb David Lang <[email protected]>:
On Mon, 22 Apr 2013, Axel Rau wrote:
Logging from a multi-homed firewall or vpn-gateway to a remote loghost requires
configurable source ip address in order to get the right routing and filtering.
Why do you say this? I've managed hundreds of multi-homed firewalls (some with
as many as 20 physical interfaces) and have never found that I needed to set
the source IP.
Unless you have multiple interfaces to the same network, there is no ambiguity,
the system will always use the same interface (and will use the main IP on that
interface for outbound messages when you have multiple IPs on one interface)
If you have an IPsec VPN, terminated on an OpenBSD firewall, and want to log
firewall activity to a log host, reached through the VPN, you will see the
sending socket of your syslogd binding to the interface, pointing at your
default route (which carries the encapsulated VPN traffic).
actually, you should not need to do this.
Just make sure you start rsyslog after the VPN is up and when it establishes the
connection, it will get routed over the VPN and will auto-select the correct
source IP. I suspect that what's happening is that you are starting rsyslog
before the VPN, so it's getting the TCP connection established over the Internet
before your routing changes.
David Lang
While looking around in the docs, I see a historical config parameter for UDP
but none for TCP.
I think you are seeing the log forging feature for UDP that lets you fake the
source of the log so that things that ignore the content of the log, but only
look at the source IP can be tricked into working.
How are the chances for such a feature?
Should I try to provide a patch?
I had hoped to find a solution for reliable high volume firewall logging using
rsyslog with its multi-threaded architecture, disk spooling feature and
reliable transmission.
rsyslog does this very well.
Yes, but before switching to rsyslog, I need a solution for the above problem.
Axel
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
