Bill
Attached is a corrected snat file and it is now working..! Yeah.
I added the 00-shorewall.log
Not sure how to use
rules:
?COMMENT I don't like Bob @ 192.168.2.44
REJECT:notice lan:192.168.2.44 wan tcp all
Should the line ?COMMENT I don't like Bob @ 192.168.2.44 be added to the
"rules" file to get the output into the shorewall.log file???
Thanks for you help
Jim
On 12/12/2017 08:53 PM, Bill Shirley wrote:
If you want a cleaner log file, create this file
/etc/rsyslog.d/00-shorewall.conf :
if $msg contains 'Shorewall' then {
action(type="omfile" file="/var/log/shorewall.log")
# if ($syslogfacility == 0 and $syslogseverity >= 4) then stop # warning
# if ($syslogfacility == 0 and $syslogseverity >= 5) then stop # notice
if ($syslogfacility == 0 and $syslogseverity >= 6) then stop # info
}
Now restart rsyslog 'systemctl restart rsyslog.service'. All
Shorewall messages
will now be in /var/log/shorewall.log. Log at 'notice' level or
higher for the message
to be in /var/log/messages (Debian: /var/log/syslog) AND
/var/log/shorewall.log.
rules:
?COMMENT I don't like Bob @ 192.168.2.44
REJECT:notice lan:192.168.2.44 wan tcp all
For rotating log files (logrotate), add the new log file
(/var/log/shorewall.log) to:
Debian: /etc/logrotate.d/rsyslog above /var/log/syslog
Fedora: /etc/logrotate.d/syslog above /var/log/messages
Tom,
You might want to change
http://www.shorewall.org/shorewall_logging.html
at the bottom 'One final note' to the above more modular approach.
Also, add
a note that if this is used shorewall.conf should be changed to:
LOGFILE=/var/log/shorewall.log
Jim,
You don't have anything in your nat table. It should have one entry:
#ACTION SOURCE DEST
MASQUERADE 192.168.2.0/24 enp4s0
This will allow the lan to be routed to the wan.
Bill
On 12/12/2017 7:07 PM, jamby wrote:
Tom
I attempted to follow the instructions below. But I failed the
gzip test.
Jim
On 12/12/2017 03:27 PM, Tom Eastep wrote:
On 12/12/2017 03:07 PM, jamby wrote:
Tom
On my system I get a file "shorewall-init.log" is that the dump
you
referring to? Otherwise most messages get dumped into the
/var/log/messages log file.
Here are the instructions from the URL I posted:
If Shorewall is starting successfully and your problem is that some set
of connections to/from or through your firewall isn't working
(examples:
local systems can't access the Internet, you can't send email through
the firewall, you can't surf the web from the firewall, connections
that
you are certain should be rejected are mysteriously accepted, etc.) or
you are having problems with traffic shaping then please perform the
following six steps:
Be sure that the LOGFILE setting in
/etc/shorewall/shorewall.conf is
correct (that it names the file where 'Shorewall' messages are being
logged). See shorewall.conf (5) and the Shorewall Logging Article.
If your problem has anything to do with IPSEC, be sure that the
ipsec-tools package is installed.
If Shorewall isn't started then /sbin/shorewall start. Otherwise
/sbin/shorewall reset.
Try making the connection that is failing.
/sbin/shorewall dump > /tmp/shorewall_dump.txt
Post the /tmp/shorewall_dump.txt file as an attachment compressed
with gzip or bzip2.
Describe where you are trying to make the connection from (IP
address) and what host (IP address) you are trying to connect to.
-Tom
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
#
# Shorewall - Sample SNAT/Masqueradee File for two-interface configuration.
# Copyright (C) 2006-2016 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-snat"
#
# See http://shorewall.net/manpages/shorewall-snat.html for more information
###########################################################################################################################################
#ACTION SOURCE DEST PROTO PORT
IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
#
# Rules generated from masq file
/home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by
Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
#
#SNAT 10.0.0.0/8,\
#MASQUERADE 10.0.0.0/16,\
# 169.254.0.0/16,\
# 172.16.0.0/12,\
#MASQUERADE 192.168.2.0/24\
# 192.168.0.0/8 enp4s0
MASQUERADE 192.168.2.0/24 enp4s0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
