Chris Hennings
2003-Jul-19 05:41 UTC
[Shorewall-users] Logging with a Single IP address setup - Newbie confusion
Hi All, Issue: My Syslog logging doesn''t seem to work for REJECT / DROP policies Context: Shorewall version 1.4.4b on a single IP address setup Diagnosis: Default /etc/shorewall/common.def triggers a DROP prior to policy based -j LOG actions For example selected lines (from the generated iptables) ... The net2all policy: a) -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT b) -A net2all -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j newnotsyn c) -A net2all -j common d) -A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6 e) -A net2all -j DROP allied to: f) -A common -d 255.255.255.255 -j DROP g) -A common -d 224.0.0.0/240.0.0.0 -j DROP h) -A common -p tcp -m tcp --dport 113 -j reject i) -A common -p udp -m udp --sport 53 -m state --state NEW -j DROP j) -A common -d xxx.xxx.xxx.xxx -j DROP The jump at (c) means that (j) where xxx.xxx.xxx.xxx is the auto generated value from interfaces (in my case via detect) and of course is the single ip address means that all net2all stuff will be dropped here such that logging at (d) never occurs. Resolution: add "run_iptables -A common -j RETURN" as the last line of a etc/shorewall/common (including common.def as instructed. This effectively results in: i) -A common -p udp -m udp --sport 53 -m state --state NEW -j DROP j) -A common -j RETURN k) -A common -d xxx.xxx.xxx.xxx -j DROP the auto generated DROP is bypassed and syslog logging now acts as expected. Apologies if this has been covered elsewhere and of course comments to any glaring idiocies and dangers in the above would be appreciated. For interest - why is the interface broadcast address dropped anyway? Best regards, Chris -------------- next part -------------- A non-text attachment was scrubbed... Name: Chris Hennings.vcf Type: text/x-vcard Size: 452 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030719/ab599e59/ChrisHennings-0001.vcf
Tom Eastep
2003-Jul-19 06:55 UTC
[Shorewall-users] Logging with a Single IP address setup - Newbie confusion
On Sat, 2003-07-19 at 05:44, Chris Hennings wrote:> Hi All, > > Issue: My Syslog logging doesn''t seem to work for REJECT / DROP policies > > Context: Shorewall version 1.4.4b on a single IP address setup > > Diagnosis: Default /etc/shorewall/common.def triggers a DROP prior to policy > based -j LOG actions > > For example selected lines (from the generated iptables) ... > > The net2all policy: > > a) -A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT > b) -A net2all -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK > SYN -j newnotsyn > c) -A net2all -j common > d) -A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6 > e) -A net2all -j DROP > > allied to: > > f) -A common -d 255.255.255.255 -j DROP > g) -A common -d 224.0.0.0/240.0.0.0 -j DROP > h) -A common -p tcp -m tcp --dport 113 -j reject > i) -A common -p udp -m udp --sport 53 -m state --state NEW -j DROP > j) -A common -d xxx.xxx.xxx.xxx -j DROP > > The jump at (c) means that (j) where xxx.xxx.xxx.xxx is the auto generated > value from interfaces (in my case via detect) and of course is the single ip > address means that all net2all stuff will be dropped here such that logging > at (d) never occurs.It is the BROADCAST address, not the IP address of the interface.> > Resolution: add "run_iptables -A common -j RETURN" as the last line of a > etc/shorewall/common (including common.def as instructed. This effectively > results in: > > i) -A common -p udp -m udp --sport 53 -m state --state NEW -j DROP > j) -A common -j RETURN > k) -A common -d xxx.xxx.xxx.xxx -j DROP > > the auto generated DROP is bypassed and syslog logging now acts as expected.Resolution: Replace "detect" by "-" in /etc/shorewall/interfaces if you want to see all broadcasts logged. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Jul-19 07:00 UTC
[Shorewall-users] Logging with a Single IP address setup - Newbie confusion
On Sat, 2003-07-19 at 05:44, Chris Hennings wrote:> > For interest - why is the interface broadcast address dropped anyway? >Otherwise, the volume of newbie posts reporting that their systems are under constant attack soars... For the most part, that''s why all of the rule in the common chain are there. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net