On 9/6/2015 3:17 AM, Ob Noxious wrote: > Hi, > > Please disregard my previous comment about the invalid TCP flags FIN,RST > and PSH,FIN passing through "tcpflags" chain. They indeed passthrough > but are blocked later by the "?SECTION INVALID" of the "rules" file. > They simply were silently dropped because INVALID_LOG_LEVEL was unset in > shorewall.conf :-)
That only works if INVALID_DISPOSITION is set to drop those packets. So
it's probably best if I go ahead and add them to the set of flags
specifically filtered by
>
> About this setting, and more generally, all *_LOG_LEVEL in
> shorewall.conf, it would be very nice to be able to use the extended
> format for specifying the log level. I'm starting to really enjoy this
> new and highly flexible format :-)
>
> ex: "INVALID_LOG_LEVEL=info:,Invalid" would produce (in logs) the
> slightly more useful "xxx:_net-fw:Invalid:IN=eth0" rather than the
> default "xxx:_net-fw::IN=eth0" which does not really gives information.
Added to the list for 5.0.0.
>
> Thankfully I was able to workaround the limitation with a line in
> "rules" file : LOG:info:,Invalid { source=all dest=all }
>
> I'm really enjoying Shorewall for now. It's a bit "complex" for the
> newcomer but highly configurable, to an impressive level I must say.
>
Glad to hear that it is working for you.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
