Hello shorewall-users, I''m trying to send my firewall log files to the mail server, but the firewall keeps rejecting all attempts I have the mail server in the DMZ, I''m running 1.4.7-RC1 The logfile entry is: Jul 7 17:56:53 gw kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=81.200.97.45 DST=10.18.7.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=111 DF PROTO=TCP SPT=48016 D PT=25 WINDOW=5840 RES=0x00 SYN URGP=0 I don''t know how to put in an ACCEPT because the "IN" interface is local thanks for you help Graham -- Graham K. Dodd Director of Operations Falk & Ross GmbH Tel: 06301 717 0
Graham Dodd wrote:> Hello shorewall-users, > > I''m trying to send my firewall log files to the mail server, but the > firewall keeps rejecting all attempts > > I have the mail server in the DMZ, I''m running 1.4.7-RC1 > > The logfile entry is: > > Jul 7 17:56:53 gw kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=81.200.97.45 DST=10.18.7.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=111 DF PROTO=TCP SPT=48016 D > PT=25 WINDOW=5840 RES=0x00 SYN URGP=0 > > I don''t know how to put in an ACCEPT because the "IN" interface is localAny time that you have a question about a log message, please consult FAQ #17. There you would have found: If you see "IN=" with no interface name, the packet originated on the firewall itself. If the packet originated on the firewall, then the source zone is the firewall zone $FW (whose value is usually ''fw''): ACCEPT $FW dmz tcp 25 Or if you are running Shorewall 2.0, you can use the somewhat more readable form: AllowSMTP $FW dmz -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello Tom, Wednesday, July 7, 2004, 7:06:57 PM, you wrote: TE> Graham Dodd wrote:>> Hello shorewall-users, >> >> I''m trying to send my firewall log files to the mail server, but the >> firewall keeps rejecting all attempts >> >> I have the mail server in the DMZ, I''m running 1.4.7-RC1 >> >> The logfile entry is: >> >> Jul 7 17:56:53 gw kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 >> SRC=81.200.97.45 DST=10.18.7.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=111 >> DF PROTO=TCP SPT=48016 D >> PT=25 WINDOW=5840 RES=0x00 SYN URGP=0 >> >> I don''t know how to put in an ACCEPT because the "IN" interface is localTE> Any time that you have a question about a log message, please consult TE> FAQ #17. There you would have found: TE> If you see "IN=" with no interface name, the packet originated TE> on the firewall itself. TE> If the packet originated on the firewall, then the source zone is the TE> firewall zone $FW (whose value is usually ''fw''): TE> ACCEPT $FW dmz tcp 25 I''ve tried that, but for some reason it''s trying to go out through eth0 (net) Maybe a more general question: what''s the best way to get logs from the firewall mailed to me -- Best regards, Graham mailto:g.dodd@falk-ross.de
On Thursday 08 July 2004 08:35, Graham Dodd wrote:>> IN= OUT=eth0 SRC=81.200.97.45 DST=10.18.7.1 PROTO=TCP DPT=25 > I''ve tried that, but for some reason it''s trying to go out through eth0 > (net)Well we don''t know your configuration (what interfaces/ips are assigned to which zones etc.) so you should obviously put the zone in which your destination is into the rule, maybe even something like ACCEPT fw somezone:10.18.7.1 tcp 25> Maybe a more general question: > what''s the best way to get logs from the firewall mailed to meJust let logrotate mail it to you if you''re ok with daily logs. If you want realtime reporting maybe log to an internal syslog server and run whatever frontend you want there, maybe even piping everything into a database. Alex
Alexander Gretencord wrote:> On Thursday 08 July 2004 08:35, Graham Dodd wrote: > >>>IN= OUT=eth0 SRC=81.200.97.45 DST=10.18.7.1 PROTO=TCP DPT=25 >> >>I''ve tried that, but for some reason it''s trying to go out through eth0 >>(net) > > > Well we don''t know your configuration (what interfaces/ips are assigned to > which zones etc.) so you should obviously put the zone in which your > destination is into the rule, maybe even something like > > ACCEPT fw somezone:10.18.7.1 tcp 25 > > >>Maybe a more general question: >>what''s the best way to get logs from the firewall mailed to me > > > Just let logrotate mail it to you if you''re ok with daily logs. If you want > realtime reporting maybe log to an internal syslog server and run whatever > frontend you want there, maybe even piping everything into a database.And since the MTA on your firewall is trying to send the post via some MTA on the net, that''s obviously what DNS and/or the MTAs configuration is set up for. The most obvious way to fix that is to configure the MTA on the firewall to forward all mail through the MTA in your DMZ. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> ... >>> Maybe a more general question: >>> what''s the best way to get logs from the firewall mailed to me >>... > > And since the MTA on your firewall is trying to send the post via some > MTA on the net, that''s obviously what DNS and/or the MTAs configuration > is set up for. The most obvious way to fix that is to configure the MTA > on the firewall to forward all mail through the MTA in your DMZ.That is the way i configure all my firewalls, and i have found it to be the most trouble-free method. Paul