Hi,
Please disregard my previous comment about the invalid TCP flags FIN,RST
and PSH,FIN passing through "tcpflags" chain. They indeed passthrough but
are blocked later by the "?SECTION INVALID" of the "rules" file. They
simply were silently dropped because INVALID_LOG_LEVEL was unset in
shorewall.conf :-)
About this setting, and more generally, all *_LOG_LEVEL in shorewall.conf,
it would be very nice to be able to use the extended format for specifying
the log level. I'm starting to really enjoy this new and highly flexible
format :-)
ex: "INVALID_LOG_LEVEL=info:,Invalid" would produce (in logs) the slightly
more useful "xxx:_net-fw:Invalid:IN=eth0" rather than the default
"xxx:_net-fw::IN=eth0" which does not really gives information.
Thankfully I was able to workaround the limitation with a line in "rules"
file : LOG:info:,Invalid { source=all dest=all }
I'm really enjoying Shorewall for now. It's a bit "complex" for the
newcomer but highly configurable, to an impressive level I must say.
--
ObNox
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
