Shorewall devel - Jun 2004 - Logging in Shorewall

Hi,

I recently discovered Shorewall.  I have 5 or 6 independent machines 
that I take care of, and I wanted an easy way to build firewall rules...
at least easier than writing all the iptables rules myself, or trying
to do it with a common script that could handle different setups
varying from a one interface machine, to one with three interfaces.

Shorewall seems to do the job pretty well.  But.

Of course there is a but.  You can''t make everybody happy all of the
time.

My ''but'' really just concerns logging.  On one of the systems,
I want
to be able to log ALL packets.  Yes, even those from ESTABLISHED
connections, or those DROPped as invalid.  And the documentation agrees
with what I have seen from what Shorewall produces: you can''t log
those packets.

I am considering modifying the code.  It is pretty well written (IMHO)
and not hard to follow.  But following the code and modifying it are two
different balls of wax, or kettles of fish, if you prefer.

I would also like to make it as easy as possible to modify the logging
behaviour.

So, before I start modifying the code, I''d like your opinion on the
following ideas.  By the way, I''m reluctant to change the code, for
a couple of reasons.  It will be hard to avoid unforeseen consequences
of changes, and the code would then be incompatible with future releases
of Shorewall.

Ideas:

Wherever Shorewall generates a ''-j ACCEPT'', modify it to
something like
''-j DoACCEPT''.  Then create a new chain DoAccept.  In the
simplest case,
this would have one rule: ''ACCEPT all packets''.  You could
then, in
/etc/shorewall, add a new file, say ''accepting''.  The user
could then
add any rules that he wanted to apply immediately before accepting any
packet.  These would probably be just logging rules, such as

LOG:debug:LEIA  eth0 fw tcp  telnet          # log telnet in on ext
LOG:debug:LEIA  eth0 fw tcp  ssh             # log ssh    in on ext

Changing the logging rules would be very easy then.  I would create
a stock copy of this file with all various logging options that I
wanted; I would modify it by simply adding a ''#'' to lines for
logging
that was not desired.

One could apply a similar idea to dropped packets.

I also looked at some ideas using user defined variables (params), but
they do not seem to be allowed for the ACTION field.  The idea would
be to create a variable, LOGssh for example.  I would then write a rule

$LOGssh	eth0 fw tcp ssh

If I wanted logging, I would set LOGssh="ACCEPT:debug:string"; if not,
I
would set LOGssh=ACCEPT.

Anyway, if you have any thoughts or opinions on these comments, I would
be interested.

Thanks

Bert

Bert Buckley wrote:
> 
> Anyway, if you have any thoughts or opinions on these comments, I would
> be interested.
> 
My thoughts on logging all traffic using the LOG or ULOG targets are 
already well known on this list -- I think it''s a very bad idea.

a) There is no guaranteed delivery -- so just because a packet didn''t 
get logged doesn''t mean that it wasn''t processed. That makes
it useless
as an auditing facility.

b) These logging mechanisms are not light-weight -- they generate a lot 
of overhead (several orders of magnitude more processing is required to 
log the packets than to pass them!!!).

c) Consider some luser who sets this level of logging to a remote log 
(the logging packets get logged and those packets get logged and ...)

So official Shorewall releases will never contain code that makes this 
level of logging possible.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net