[1:root@elmo shorewall 255]$ rpm -q shorewall
shorewall-4.6.11.1-2.fc22.noarch
ADD(+IpPort3600:src,dst:7200):notice:ADD,IpPort3600 inet fw tcp,udp
domain
produces:
Checking /etc/shorewall/rules...
ERROR: Invalid ADD/DEL parameter (+IpPort3600:src,dst:7200)
/etc/shorewall/rules (line 263)
Which Shorewall version has this?
> I've implemented it as:
>
> ADD(<set>:<flags>[:<timeout>]).
>
Am I missing something?
Currently:
LOGTAGONLY=Yes
Dec 21 06:10:57 elmo kernel: Shorewall:ADD:IpPort3600:IN=ccast OUT=
MAC=00:11:0a:58:db:0f:b8:9b:c9:dc:af:12:08:00
SRC=185.106.121.175 DST=123.123.123.123 LEN=65 TOS=0x00 PREC=0x20 TTL=50 ID=0
DF PROTO=UDP SPT=37511 DPT=53 LEN=45 MARK=0x4100
I'm using this in the rules to get a single notification in /var/log/messages
of each new violation:
?COMMENT drop previously flagged
DROP inet:+IpPort3600[src,dst] fw
DROP inet:+IpOneDay[src] fw
?COMMENT not public
ADD(+IpPort3600:src,dst):notice:ADD,IpPort3600 inet fw tcp,udp domain
?COMMENT new entries
DROP inet:+IpPort3600[src,dst] fw
DROP inet:+IpOneDay[src] fw
/etc/shorewall/policy:
inet all DROP info
/etc/rsyslog.conf (rsyslog-8.8.0-3.fc22.x86_64):
if $msg contains 'Shorewall' then {
action(type="omfile" file="/var/log/shorewall.log")
# if ($syslogfacility == 0 and $syslogseverity >= 4) then stop # warning
# if ($syslogfacility == 0 and $syslogseverity >= 5) then stop # notice
if ($syslogfacility == 0 and $syslogseverity >= 6) then stop # info
}
*.info;mail.none;authpriv.none;auth.none;cron.none;*.err
/var/log/messages
Note all Shorewall messages go to /var/log/shorewall.log (a log I added). Only
severity more important than -info- goes to /var/log/messages.
Bill
On 12/23/2015 12:06 PM, Tom Eastep wrote:
> Bill,
>
> On 12/23/2015 2:21 AM, Bill Shirley wrote:
>> I have a rule to add addresses to an ipset defined:
>> ipset -exist create IpPort3600 hash:ip,port timeout 3600
>> ipset -exist create IpOneDay hash:ip timeout 86400
>>
>> in /etc/shorewall/rules:
>> ADD(+IpPort3600:src,dst):notice:ADD,IpPort3600 inet fw tcp,udp domain
>> ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp mysql
>>
>> My suggestion is to allow ADD to specify a timeout value:
>> ADD(+IpPort3600:src,dst,@600):notice:ADD,IpPort3600 inet fw
>> tcp,udp domain
>> and thus set a 10 minute timeout(600) instead of the default one hour
>> timeout(3600).
>>
>> Also:
>> ADD(+IpOneDay:src,@14400):info:ADD,IpOneDay,14400 inet fw tcp
>> mysql
>
> I've implemented it as:
>
> ADD(<set>:<flags>[:<timeout>]).
>
> I'm unclear, however, what you are trying to do with the log tag. If
> LOGTAGONLY=No, then with no tag specified in the rule, your rule will
> have a log prefix of
>
> ": inet-fw ADD(+IpOneDay:src:14400)"
>
> which will get truncated.
>
> With LOGTAGONLY=Yes and a simple one-line change in the compiler, if you
> use this ACTION:
>
> ADD(IpOneDay:src:14400):info:,ADD,IpOneDay,14400
>
> (note that the tag begins with a comma), the log prefix will be
>
> : inet_fw ADD,IpOneDay,14400
>
>
> -Tom
>
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
