Re: [Shorewall-users] Strange error with Centos 7

[Tom Eastep]

On 11/13/18 3:39 PM, Tom Eastep wrote:
> On 11/13/18 3:00 AM, Paolo Prandini wrote:
>> I installed the minimal version of Centos 7, run a yum upgrade
>> and then yum install shorewall
>> When I test my configuration with shorewall check ( I only set zones
>> interfaces policy) , I always get
>> nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded
>> What can I do to avoid this problem?
>> Thanks a lot
> 
> 
> I've reproduced the problem. Are you trying to log via ULOG or is it
> just the journal message that concerns you?
> 

Paolo replied privately that he is only concerned about the journal
message. That message can be eliminated as follows:

a) Copy /usr/share/shorewall/helpers /etc/shorewall/.
b) Edit /etc/shorewall/helpers and remove this line:

loadmodule ipt_ULOG

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Strange error with Centos 7

[Tom Eastep]

On 11/14/18 6:32 AM, Scott Beane wrote:
> Same Ulogd error here following shorewall's logging set up man page(s)
>  to move iptables output
> into its own log file, in my case, shorewall.log.
> 
> Sometimes, ulogd does not log to file.  Seems dependent upon when Ulogd
> is started by systemd. I am now starting it after shorewall. Note that
> it works without  ipt_ULOG being loaded nonetheless (see #3 below).

ipt_ULOG is only required to use the 'ULOG' log level.

> 
> Ulogd appear to be needed, but I remain confused as to whether ulogd is
> doing anything or whether rsyslogd configure edits (see #5 below) are
> handling the correct logging or whether it takes both rsyslogd and ulogd.

NFLOG logging will be handled by ulogd - syslog logging (info, debug,
etc) will be handled by rsyslogd.

-Tom

-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Strange error with Centos 7

[Scott Beane]

  
  
Same Ulogd error here following shorewall's logging set up
  man page(s) to move iptables output into its own log file, in
my case, shorewall.log. 

Sometimes, ulogd does not log to file.  Seems dependent upon when
Ulogd is started by systemd. I am now starting it after shorewall.
Note that it works without  ipt_ULOG being loaded nonetheless (see
#3 below). 

Ulogd appear to be needed, but I remain confused as to whether ulogd
is doing anything or whether rsyslogd configure edits (see #5 below)
are handling the correct logging or whether it takes both rsyslogd
and ulogd.

Applicable excerpts of my set up is as follows:
1. Kernel 3.10.0-862.14.4.el7.x86_64

2. Shorewall.conf
    LOG_LEVEL="NFLOG(2,0,1)"
    LOG_BACKEND="netlink"
    LOG_MARTIANS=Yes
    LOG_VERBOSITY=2
    LOG_ZONE=Both
    LOGFILE=/var/log/shorewall.log
    LOGFORMAT="Shorewall:%s:%s:"
    LOGTAGONLY=No
    LOGLIMIT="s:1/sec:10"

3. cat /proc/sys/net/netfilter/nf_log/*   #0-12 # Note "ipt_ULOG"
not loaded
NONE
NONE
nfnetlink_log
NONE
NONE
nfnetlink_log
NONE
NONE
NONE
NONE
nfnetlink_log
NONE
NONE

4. ulogd.conf
    loglevel=7
   
stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
    [log2]
    group=2 # Group has to be different from the one use in log1
    netlink_socket_buffer_size=217088
    netlink_socket_buffer_maxsize=1085440
    bind=1

5. rsyslog.conf
   if $msg contains 'Shorewall' then {
  action(type="omfile" file="-/var/log/shorewall.log")
  if ($syslogfacility == 0 and $syslogseverity <= 6) then stop  #
info
}
 
6. ulogd.service
   Before=shorewall.service
   Conflicts=firewalld.service iptables.service  #iptables.service
is disabled

On 11/13/2018 6:39 PM, Tom Eastep
  wrote:


  On 11/13/18 3:00 AM, Paolo Prandini wrote:

  
I installed the minimal version of Centos 7, run a yum upgrade
and then yum install shorewall
When I test my configuration with shorewall check ( I only set zones
interfaces policy) , I always get
nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded
What can I do to avoid this problem?
Thanks a lot

  
  

I've reproduced the problem. Are you trying to log via ULOG or is it
just the journal message that concerns you?

Thanks,
-Tom



  


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Strange error with Centos 7

[Tom Eastep]

On 11/13/18 3:00 AM, Paolo Prandini wrote:
> I installed the minimal version of Centos 7, run a yum upgrade
> and then yum install shorewall
> When I test my configuration with shorewall check ( I only set zones
> interfaces policy) , I always get
> nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded
> What can I do to avoid this problem?
> Thanks a lot


I've reproduced the problem. Are you trying to log via ULOG or is it
just the journal message that concerns you?

Thanks,
-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Strange error with Centos 7

[Tom Eastep]

On 11/13/18 3:00 AM, Paolo Prandini wrote:
> I installed the minimal version of Centos 7, run a yum upgrade
> and then yum install shorewall
> When I test my configuration with shorewall check ( I only set zones
> interfaces policy) , I always get
> nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded
> What can I do to avoid this problem?
> Thanks a lot

I haven't seen this problem, but I'm updating my Centos 7 VM and will
try to reproduce...

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Strange error with Centos 7

[Paolo Prandini]

I installed the minimal version of Centos 7, run a yum upgrade
and then yum install shorewall
When I test my configuration with shorewall check ( I only set zones interfaces 
policy) , I always get
nf_log: can't load ipt_ULOG, conflicting nfnetlink_log already loaded
What can I do to avoid this problem?
Thanks a lot
Paolo



___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users