Kevin, Bulgrien, Kevin wrote:
> - The relevant parts of the configuration are: > > policy > > loc all CONTINUE > net all CONTINUE > $FW all REJECT $LOG > > rules > > LOG:$LOG:HTTPSout $FW all tcp 443 - - - - > LOG:$LOG:WEBout $FW all tcp 80 - - - - > > ACCEPT $FW all tcp 80 - - - :root > ACCEPT $FW net tcp 443 - - - :root > > Example: > > lynx http://www.mandriva.com > > Result: Success > > lynx: https://download.mandriva.com > > Result: Failed, no log entries, except HTTPSout LOG messages. I need to see the output of "shorewall dump" to see what, if anything, Shorewall did wrong. > > No other log entries exist in this time frame, yet the traffic is > blocked. NOTE that there is an anomaly in the "info" log entry at > "Shorewall:fw2net:LOG:HTTPSoutIN=". There should be a space > between the tag and the IN= field. That anomaly still exists in the current code. It will be corrected in Shorewall 4.0.3. > > Resolution: > > Spotted reference in "Problems Corrected in 3.4.1" to: > > 3) Log messages specifying a log tag had two spaces appended to the > log prefix. This could cause mysterious "log-prefix truncated" > messages. > > I had been ignoring the above warning because it didn't make sense, and > anyway, I didn't care that a log prefix was shortened as long as it > appeared in the log, and the logging was working fine. > > I decided to take the troubleshooter stance that if something is broken, > you view any anomaly, no matter how innocuous, as a potential indicator > for the problem. I renamed the log rule for HTTPS as follows: > > LOG:$LOG:443out $FW all tcp 443 - - - - > > With this change, no warnings about Log Prefix truncation is emitted on > a shorewall restart. > > HTTPS traffic from fw to net now works correctly. > > Summary: > > This is a flaw. I cannot say yet whether this appears in later versions > of shorewall, but I also do not see any indications that such an issue has > been fixed, though my search may not have been conclusive. Given the way that shorewall 3.0.4 worked, I find this problem report and the resolution to be a complete mystery. I have confirmed that (other than the missing space anomaly) that the problem doesn't occur in Shorewall 4.0.3 with either the Perl or Shell compilers. But then, given that I can't understand how it could have happened in 3.0.4, I'm not sure that there isn't something else going on in your configuration that causes the problem and might still cause the problem in later releases (even though log rule generation was rewritten in 3.2.0). So if you could re-create the bug then capture the output of "shorewall dump", I will be interested to take a look at it. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
