I was thinking you might want an example in the logging documentation of using
a comma after the log TAG:
/etc/shorewall/rules (hen is a local zone):
REJECT(icmp-proto-unreachable):notice:IPv6 hen inet 41
# who's using IPv6 tunneling
REJECT(icmp-proto-unreachable):notice:IPv6,tunneling hen inet
41 # who's using IPv6 tunneling
The first REJECT produces: prefix "Shorewall:IPv6:REJECT(icmp-p "
and the second: prefix "Shorewall:IPv6:tunneling:"
Also, the first rule generates a warning:
Compiling /etc/shorewall/rules...
WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
/etc/shorewall/rules (line 212)
I use LOGTAGONLY=Yes.
As a side note, I recommend blocking all tunneling because it bypasses the
firewall rules:
?COMMENT tunneling
REJECT(icmp-proto-unreachable):notice:IPv6,tunneling hen inet
41 # who's using IPv6 tunneling
REJECT(icmp-port-unreachable) hen inet tcp,udp teredo
REJECT(icmp-port-unreachable) hen inet tcp,udp isakmp,ipsec-nat-t
Here is an example of logging traffic only once:
/etc/shorewall/init:
ipset -exist create IPv4 hash:ip timeout 86400
ipset -exist create IPv4-port hash:ip,port timeout 14400
/etc/shorewall/rules (at the top):
?SECTION NEW
# ------------------
?COMMENT drop previously flagged
DROP inet:+IPv4[src] fw
DROP inet:+IPv4-port[src,dst] fw
?COMMENT
# ------------------
?COMMENT drop Russian Federation
ADD(+IPv4:src):info:IPv4,Russia inet:^[RU] fw
?COMMENT drop Taiwan email
ADD(+IPv4-port:src,dst):info:IPv4-port,Taiwan inet:^[TW] fw tcp
smtp,smtps,submission
# ------------------
?COMMENT drop newly flagged
DROP inet:+IPv4-port[src,dst] fw
DROP inet:+IPv4[src] fw
The first ADD drops everything from an IP address and the second drops an IP
address/port combination.
After all the rules have been checked, at the bottom of /etc/shorewall/rules:
# =============================================================================
# =============================== H@ck0rz =====================================
# =============================================================================
?COMMENT dont whack myself
REJECT:notice inet:$ME_NET fw
?COMMENT not public
ADD(+IPv4-port:src,dst) inet fw tcp,udp domain
ADD(+IPv4-port:src,dst) inet fw tcp ldap,ldaps
ADD(+IPv4-port:src,dst) inet fw tcp,udp ipp
?COMMENT H@ck0rz
ADD(+IPv4:src) inet fw tcp ssh
ADD(+IPv4:src) inet fw tcp
ftp,ftps,sftp,telnet,telnets,exec,login,shell,sunrpc
ADD(+IPv4:src) inet fw tcp,udp ms-sql-s,ms-sql-m
?COMMENT drop if added
DROP:info:BAN,IPv4 inet:+IPv4[src] fw
DROP:info:BAN,IPv4-port inet:+IPv4-port[src,dst] fw
One final note: I wanted less firewall messages in /var/log/messages so I added
to rsyslog.conf:
#### RULES #### <-- find this
if $msg contains 'Shorewall' then {
action(type="omfile" file="/var/log/shorewall.log")
# if ($syslogfacility == 0 and $syslogseverity >= 4) then stop # warning
# if ($syslogfacility == 0 and $syslogseverity >= 5) then stop # notice
if ($syslogfacility == 0 and $syslogseverity >= 6) then stop # info
}
I log at 'notice' log level if I want the message in /var/log/messages and
everything goes to /var/log/shorewall.log.
Don't forget to add /var/log/shorewall.log to logrotate.
Bill
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
