On 05/19/2011 04:28 AM, Mr Dash Four wrote: > >> Okay -- give me a couple of days and I'll send you a pre-release of >> 4.4.20-Beta3. >> > No worries, I know it won't be easy to integrate as the LOG target is > used everywhere in shorewall.
Here are the release notes for what I have working at this point. I'm
distributing them for comment before sending out the code.
5) Support for the AUDIT target has been added. AUDIT is a feature of
the 2.6.39 kernel and iptables 1.4.10 that allows security auditing
of access decisions.
Note: This support note is the only documentation of this support
currently available.
The support involves the following:
a) A new "Audit Target" capability is added and is required for
auditing support. To use AUDIT support with a capabilities
file, that file must be generated using this or a later
release.
Use 'shorewall show capabilities' after installing this release
to see if your kernel/iptables support the AUDIT target.
b) In /etc/shorewall/policy's POLICY column, the policy (and
default action, if any) may be followed by ':audit' to cause
application of the policy to be audited.
It is allowed to also specify a log level on audited policies
resulting in both auditing and logging.
c) Three new builtin actions that may be used in the rules file,
in macros and in other actions.
AACCEPT - Audits and accepts the connection request
ADROP - Audits and drops the connection request
AREJECT - Audits and rejects
It is allowed to specify a log level with these actions to
provide both auditing and logging.
d) The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION and
TCP_FLAGS_DISPOSITION options may be set as follows:
BLACKLIST_DISPOSITION ADROP or AREJECT
MACLIST_DISPOSITION ADROP
AREJECT, unless
MACLIST_TABLE=mangle
TCP_FLAGS_DISPOSITION ADROP or AREJECT
Thanks,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
