I have tried (RH7.3/shorewall-1.3.12-1) both of the following in
shorewall.conf to eliminate ''rfc1918'' logging into
/var/log/messages:
RFC1918_LOG_LEVEL=debug
RFC1918_LOG_LEVEL=notice
Neither appear to eliminate the logging.
Here''s what the ''logdrop'' chain shows:
1 229 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix \
`Shorewall:rfc1918:DROP:''
Shouldn''t the "level" be either a `7'' or a
''5'' instead of `6''? (BTW,
what is meant by a "higher syslog level"? Is `7''
"higher" than `5''?)
Also, here''s a relevant subset of my syslog.conf:
# Log anything (except mail) of level info or higher.
# Don''t log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Any ideas are appreciated!
-Kenneth
--On Friday, January 03, 2003 12:29:24 PM -0500 Kenneth Jacker <khj@be.cs.appstate.edu> wrote:> I have tried (RH7.3/shorewall-1.3.12-1) both of the following in > shorewall.conf to eliminate ''rfc1918'' logging into /var/log/messages: > > RFC1918_LOG_LEVEL=debug > RFC1918_LOG_LEVEL=notice > > Neither appear to eliminate the logging. > > Here''s what the ''logdrop'' chain shows: > > 1 229 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix \ > `Shorewall:rfc1918:DROP:'' > > Shouldn''t the "level" be either a `7'' or a ''5'' instead of `6''? (BTW, > what is meant by a "higher syslog level"? Is `7'' "higher" than `5''?) >The attached patch should correct the problem. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net -------------- next part -------------- A non-text attachment was scrubbed... Name: firewall.patch Type: application/octet-stream Size: 539 bytes Desc: not available Url : http://wookie.shorewall.net/pipermail/shorewall-users/attachments/20030103/463216cf/firewall.obj
>> I have tried (RH7.3/shorewall-1.3.12-1) both of the following in>> shorewall.conf to eliminate ''rfc1918'' logging into /var/log/messages: >> >> RFC1918_LOG_LEVEL=debug >> RFC1918_LOG_LEVEL=notice >> >> Neither appear to eliminate the logging. [snip, snip, ...] tom> The attached patch should correct the problem. Yes, that worked! I''m using the ''debug'' level, and no ''rfc1918'' log lines are appearing. Thanks, -Kenneth
--On Friday, January 03, 2003 03:21:43 PM -0500 Kenneth Jacker <khj@be.cs.appstate.edu> wrote:> > tom> The attached patch should correct the problem. > > Yes, that worked! > > I''m using the ''debug'' level, and no ''rfc1918'' log lines are appearing. >To totally suppress RFC 1918 logging, you can also simply replace all instances of ''logdrop'' with ''DROP'' in /etc/shorewall/rfc1918. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
tom> To totally suppress RFC 1918 logging, you can also simply replace all tom> instances of ''logdrop'' with ''DROP'' in /etc/shorewall/rfc1918. Yikes, now I''m totally confused! Maybe I''m using the RFC1918_LOG_LEVEL feature for the wrong reason. Why did you add it? What might be a reason to change the RFC1918_LOG_LEVEL instead of just modifying /etc/shorewall/rfc1918? -Kenneth
--On Friday, January 03, 2003 03:41:08 PM -0500 Kenneth Jacker <khj@be.cs.appstate.edu> wrote:> tom> To totally suppress RFC 1918 logging, you can also simply replace > all tom> instances of ''logdrop'' with ''DROP'' in /etc/shorewall/rfc1918. > > Yikes, now I''m totally confused! > > Maybe I''m using the RFC1918_LOG_LEVEL feature for the wrong reason. > > Why did you add it? > > What might be a reason to change the RFC1918_LOG_LEVEL instead of just > modifying /etc/shorewall/rfc1918?You might want to log the messages using ULOG... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Friday, January 03, 2003 12:47:05 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> You might want to log the messages using ULOG...When I was designing the ULOG facility, my first inclination was to simply add something to shorewall.conf like: USE_ULOG=Yes When I realized that ULOG doesn''t support the concept of message priority/level, it occured to me that if USE_ULOG=Yes then each place in the configuration where a syslog level can be specified becomes like a knob with its set screw missing. So while it is a little less convenient to be required to specify ULOG in multiple places, handling ULOG like a special syslog priority/level seems more consistent to me. Given that that the RFC 1918 logging level couldn''t previously be altered, I added RFC1918_LOG_LEVEL just so those messages could be directed to ULOG; I obviously didn''t test the non-ULOG case well :-( -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net