At 10/31/2013 08:56 AM, you wrote:
>Hi Group,
>
>Congratulation about <http://shorewall.org>shorewall.org !
>No question shorewall is the best tool I know for playing with iptables rules!
>
>Second I wonder if any one can help me with the following:
>
>1. I'm trying to configure a rule with the NFLOG option.
>I manage to make it work with ULOG withouy any problem, but making it with
>NFLOG doesn't seems to work :-(
>My question is if the netfilter userspace log daemon (ULOG) knows how to
>capture NFLOG msg.
>At the moment I'm using ULOG version 1.X.
>Is this only supported via ULOG version 2.0?
>
>I'm using ulog version 1 cause this is the native version my CentOS machine
>support, and install it from source requires me to update a lot of packages
>with I want to avoid.
>
>2. What is the true different between ULOG to NFLOG?
>
>3. I'm not sure I got it right from the documentation at
><http://www.shorewall.net/shorewall_logging.html>http://www.shorewall.net/shorewall_logging.html
>
>Where I configure the shorewall LEVEL?
>It says is has the following:
>
>debug,info,error, etc....
>
>but I don't see where to change it under the shore-wall configuration
>
>4. A rule like this
>ACCEPT:info(tcp_options,ip_options,macdecode,tcp_sequence) fw all
> all
>
>Doesn't seems to work.
>I'm getting Invalid log level
>(info(tcp_options,ip_options,macdecode,tcp_sequence)
>
>Why? any idea?
>
>5. Under ULOG, u have the option to configure nlgroup. the default is 1, but
>say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save logs to
>file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done? is this mean
>I need run 3 different ULOG process?
>I didn't manage to find how to do it in ulog.conf
>
>
>Thanks
>Sassy
I'm running on Arch Linux, so I may be way out of touch with older
systems and the following may not match with your system.
I'm also a somewhat new with shorewall/iptables. I found
#shorewall check -r
to be very helpful when changing the shorewall files.
I believe you need ulogd2 and kernel > 2.6.14 for NFLOG
NFLOG is part of ulogd (http://www.netfilter.org/projects/ulogd/index.html).
ULOG is entering end-of-life. NFLOG requires support to be compiled
into the kernel.
# zcat /proc/config.gz | grep NFLOG
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_BRIDGE_EBT_NFLOG=m
Use NFLOG as your log level, and as with ULOG you can specify the
group NFLOG(1,0,1). NFLOG may default to group 0?
Make sure you have your NFLOG filter stack correct in /etc/ulogd.conf.
See /usr/share/doc/ulogd/ulogd.conf for some example stacks.
Example rule I have:
SECTION NEW
# Drop blacklist ipset and log to ulogd.blacklist
DROP:NFLOG(4,0,1) net:+blset all
and /etc/ulogd.conf
~~~~~~~~~~~~
[global]
logfile="/var/log/ulogd.log"
loglevel=5
rmem=131071
bufsize=150000
plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
# shorewall normal log packets group 1
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
# shorewall log blacklist group 4
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu3:LOGEMU
[log1]
group=1
#sync=1
[log4]
group=4
[emu1]
file=/var/log/ulogd.syslogemu
[emu3]
file=/var/log/ulogd.blacklist
~~~~~~~
and add logrotate for the new log.
Wayne S
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
