On 11/20/2012 08:18 PM, Mr Dash Four wrote:
That's an error in the manpage -- to use NFLOG, specify "LOG:NFLOG(1,0,1)".I decided to change the code rather than the manpage -- patch attached.It doesn't seem to work: I am getting "ERROR: Invalid NFLOG action(NFLOG(1,0,1):none)" The statement in my C_ACTION is just "NFLOG(1,0,1)" (as oppose to "LOG:NFLOG(1,0,1)"). Am I missing something?You simply specify the macro name in the POLICY file.Doesn't seem to work. macro.C_MACRO ~~~~~~~~~~~~~ LOG LOG:NFLOG(1,0,1) LOG:NFLOG(2,0,1) policy ~~~~~~ $FW net DROP:C_MACRO info I am getting "ERROR: LOG requires a log level" policy ~~~~~~ $FW net DROP:C_MACRO:info info This time I am getting "ERROR: Invalid default action (C_MACRO:info)" policy ~~~~~~ $FW net DROP:C_MACRO(info) info This time the message is "ERROR: Default Action Macros may not have parameters"
These will have to wait for Beta 2 -- at that point NFLOG() should work as you expect and you can specify 'DROP:C_MACRO(info)' if you want to make simple 'LOG' rules log at the 'info' level.
Finally, one question and a suggestion: suppose I would like to conditionally dump packets on both side of a connection initiated from outside. For the incoming part I know I should put the appropriate NFLOG statement in the NEW section. The tricky bit (at least for me anyway) is what to do on the outgoing side, particularly when the connection is already established (I *do* wish to dump every packet regardless of the connection tracking state, including the UNTRACKED ones). Should I then place the appropriate statement in the ALL section of the rules file then? Would that execute prior to the connection tracking state matches (NEW, RELATED, ESTABLISHED)?
Yes
Do these type of statements (in the ALL section) go after the blackists and the various tcp flag/smurfs and all other checks shorewall has put in place?
Rules in the ALL section come after the blacklist and the interface-option checks.When I want this type of logging, though, I use the 'iptrace' shorewall command. This not only logs each packet but traces it through the Netfilter chains.
The suggestion: from what I can gather, currently there isn't a stand-alone AUDIT statement in the way there are LOG and NFLOG ones. Would it be possible to include one? The type specified in that AUDIT statement (accept, drop and reject) is largely irrelevant as far as iptables go (they do have significance in the audit facility though). The reason I ask this is because if I had this, I could add the AUDIT log target to my custom macro/action when auditing of packets (*without* explicitly dropping/rejecting/accepting them) is needed, along with LOG/NFLOG targets.
Copy the two attached files into ${SHAREDIR}/shorewall. The new target
is 'Audit' and accepts one optional parameter (the audit type). The
default audit type is 'drop'. The action does no logging. Note that
iptables requires the 'type' to be specified.
[root@sami ~]# iptables -A foo -j AUDIT iptables v1.4.14: AUDIT: option "--type" must be specified Try `iptables -h' or 'iptables --help' for more information. [root@sami ~]# -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
# # Shorewall 4 - AUDIT Action # # /usr/share/shorewall/action.AUDIT # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 2011 - Tom Eastep ([email protected]) # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # AUDIT[(type)] # # Default type is drop # ########################################################################################## FORMAT 2 DEFAULTS drop BEGIN PERL; use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; my ( $type ) = get_action_params( 1 ); fatal_error "Invalid AUDIT type ($type)" unless $type =~ /^(?:accept|drop|reject)$/; require_capability('AUDIT_TARGET', 'The AUDIT action', 's'); my $chainref = get_action_chain; add_ijump( $chainref, j=> 'AUDIT', targetopts => "--type $type" ); allow_optimize( $chainref ); 1; END PERL;
actions.std
Description: OpenOffice Draw Template
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
