search for: logburst

I am running version 3.0.7 of Shorewall on a Debian Sarge system, but when I start Shorewall I get this: /usr/share/shorewall/firewall: line 204: 4: command not found I looked there and found this: # Run ip and if an error occurs, stop the firewall and quit # run_ip() { if ! ip $@ ; then if [ -z "$STOPPING" ]; then error_message "ERROR: Command \"ip

...for Shorewall :) I''m trying to get a simple config to work but i can''t seem to work out how to gain access via ssh to the protected remote machine. But that doesn''t surprise me really as i have just spend well over an hour to find how to limit the lograte AND fill in the logburst in shorewall.conf. I have specified a logfile (not messages) in shorewall.conf, but somehow it isn''t picked up when i try to debug restart shorewall. Also i can''t get ssh login when shorewall is running, although i have specified in rules: SSH/ACCEPT loc $FW...

...1 2 3 4 5 6 9 + command=start + ''['' 1 -ne 1 '']'' + do_initialize + export LC_ALL=C + LC_ALL=C + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + terminator=startup_error + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + LOGUNCLEAN= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + NAT_BEFORE_RULES= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVE...

Hi, which it is the better way to limit the logs of a single zone (es: limit log of net)? policy:net all DROP info 10/sec:40 Is this a good solution? Many thanks -- Dario Lesca <d.lesca@solinos.it>

...e number of accepted connections logged and the total number of Netfilter rules on the system (more rules, fewer connections logged), but this has not been extensively tested. We do the scan from a host on "loc" to a host on "net". The shorewall.conf file has: LOGRATE= LOGBURST= The rules file has: ACCEPT net $FW tcp ssh - ACCEPT:info dmz net tcp telnet,ftp,http,https,smtp - ACCEPT:info dmz net tcp domain,pop3,imap - ACCEPT dmz net...

Ok, I''ve flogged this issue probably longer than some of you can stand by now. (remember, I''m the nut trying to use a PPro200 to support ~500 users on a 10Mb internet link :o) To appease those who think I''m nuts, I am ordering a new firewall shortly to allow for future growth. (probably a Dell PE750 with P4/2.8 and dual GE nics.) However, since I have yet to prove

...ssh,auth ACCEPT $FW net udp ntp #[/etc/shorewall/shorewall.conf]-------------------------------------------- --- FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED="yes" MODULESDIR="" LOGRATE="1/minute" LOGBURST="5" LOGUNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMS...

.../16 logdrop # RFC 1918 /etc/shorewall/shorewall.conf ======================================================= [root@hn00dmz01 maint]# grep -v -e "^#" -e "^$" /etc/shorewall/shorewall.conf LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGRATE= LOGBURST= BLACKLIST_LOGLEVEL= LOGNEWNOTSYN=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info BOGON_LOG_LEVEL=info PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/s...

...ssh,auth ACCEPT $FW net udp ntp #[/etc/shorewall/shorewall.conf]-------------------------------------------- --- FW=fw SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall ALLOWRELATED="yes" MODULESDIR="" LOGRATE="1/minute" LOGBURST="5" LOGUNCLEAN=info LOGFILE="/var/log/messages" NAT_ENABLED="Yes" MANGLE_ENABLED="Yes" IP_FORWARDING="On" ADD_IP_ALIASES="Yes" ADD_SNAT_ALIASES="No" TC_ENABLED="No" BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMS...

...fw tcp 21,22,443 - routestopped: eth2 x.x.x.x eth2 y.y.y.y zones: fw firewall net ipv4 loc ipv4 shorewall.conf: (i think it''s default but not shure) STARTUP_ENABLED=Yes LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=No IPTABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" MODULESDIR= CONFIG_PATH=/etc/shorew...

...ll/rules: ACCEPT net fw icmp 8 ACCEPT fw net icmp ACCEPT net fw tcp 21,25,37,80,110,113,995,1024:3127,3129:65535 ACCEPT net fw udp 37,123,1024:65535 ACCEPT loc fw tcp 25,123,631 /etc/shorewall/shorewall.conf: LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= LOGNEWNOTSYN=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info BOGON_LOG_LEVEL=info LOG_MARTIANS=No IPTABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="&qu...

...IMAP net fw #REDIRECT net 22 tcp 22 # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE SHOREWALL.CONF: ---------------------------------------------------------------------------- ------------------ LOGFILE=/var/log/firewall LOGFORMAT="Shorewall:%s:%s:" LOGRATE= LOGBURST= BLACKLIST_LOGLEVEL= LOGNEWNOTSYN=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIR=...

...VE zone: # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE And finally shorewall.conf: STARTUP_ENABLED=Yes VERBOSITY=1 SHOREWALL_COMPILER= LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE= LOGBURST= LOGALLNEW= BLACKLIST_LOGLEVEL= MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=No IPTABLES= PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" MODULESDIR= CONFIG_PATH=/etc/shorew...

...ewall script has been modified to eliminate the error messages. 5) Interface-specific dynamic blacklisting chains are now displayed by "shorewall monitor" on the "Dynamic Chains" page (previously named "Dynamic Chain"). 6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again. Migration Issues: 1) Once you have installed this version of Shorewall, you must restart Shorewall before you may use the ''drop'', ''reject'', ''allow'' or ''save'' commands. 2) To maintain strict compatibili...

...ewall script has been modified to eliminate the error messages. 5) Interface-specific dynamic blacklisting chains are now displayed by "shorewall monitor" on the "Dynamic Chains" page (previously named "Dynamic Chain"). 6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again. 7) The ''shorewall reject'' and ''shorewall drop'' commands now delete any existing rules for the subject IP address before adding a new DROP or REJECT rule. Previously, there could be many rules for the same IP address in the dynamic chain...

...ewall script has been modified to eliminate the error messages. 5) Interface-specific dynamic blacklisting chains are now displayed by "shorewall monitor" on the "Dynamic Chains" page (previously named "Dynamic Chain"). 6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again. 7) The ''shorewall reject'' and ''shorewall drop'' commands now delete any existing rules for the subject IP address before adding a new DROP or REJECT rule. Previously, there could be many rules for the same IP address in the dynamic chain...

...ver is basically a standalone machine on the internet, and its firewall is for its own services only. My shorewall.conf, without comments, is as follows: $ egrep -v ''^( *#)|^$'' shorewall.conf LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGLIMIT="" LOGBURST="" BLACKLIST_LOGLEVEL=info LOGNEWNOTSYN=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info BOGON_LOG_LEVEL=info PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" STATEDIR=/var/lib...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The original post was over 300,000kb so I didn''t spam the list with it -TE. | | | Thank you for your quick and helpful response. | | I didn''t understand that the virtual interface eth0:1 doesn''t count as a separate instance from eth0. | I am sorry to ask for further assistance and would appreciate any help. The error

I have what strikes me as an odd problem with shorewall. Let me describe my setup. My desktop (alfred) is connected to the network through an ADSL modem. I am running rp-pppoe, and this works perfectly. I have a small home network, with two LANs; an Ethernet LAN (including a machine running Windows XP), and a WiFi LAN, including the laptop (william) I am using now. All the computers except for

...the vpn-gateway,part2: 1 ipsec0 172.21.0.0/16 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ------------------------------------------------------ * /etc/shorwall/shorewall.conf LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGRATE= LOGBURST= BLACKLIST_LOGLEVEL= LOGNEWNOTSYN=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info BOGON_LOG_LEVEL=info PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/s...