Hi, I have Shorewall 1.4.5.
I would like to know if it''s possible to see on the screen every packet
that is dropped or rejected.
But I don''t want any log wrote on the hard disk...
Is it possibile ?
I don''t understand the very poor guide of:
7 debug
6 info
5 notice
4 warning
3 err
2 crit
1 alert
0 emerg
i don''t find a guide that say what mean each option.
Thanks
On Mon, 2003-09-29 at 08:20, Salvatore wrote:> Hi, I have Shorewall 1.4.5. > > I would like to know if it''s possible to see on the screen every packet that is dropped or rejected. > > But I don''t want any log wrote on the hard disk... > > Is it possibile ? >No. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
There is a real messy way of doing it Tom Use ulogd to log into /var/log/ulogd/ulogd.syslogemu Use tail -f to see the current entries, and cron to delete and replace the file on a regular basis, say once an hour or day. So at the instant you delete the file you wont have any log entries on the HD. Richard On Mon, 2003-09-29 at 15:33, Tom Eastep wrote:> On Mon, 2003-09-29 at 08:20, Salvatore wrote: > > Hi, I have Shorewall 1.4.5. > > > > I would like to know if it''s possible to see on the screen every packet that is dropped or rejected. > > > > But I don''t want any log wrote on the hard disk... > > > > Is it possibile ? > > > > No. > > -Tom-- Richard Bown <richard.bown@blueyonder.co.uk>
On Monday 29 September 2003 16:33, Tom Eastep wrote:> On Mon, 2003-09-29 at 08:20, Salvatore wrote: > > I would like to know if it''s possible to see on the screen every packet > > that is dropped or rejected. > > > > But I don''t want any log wrote on the hard disk... > > > > Is it possibile ? > > No.Yes it is :) Just use a syslog daemon like syslog-ng which can filter not only by facility but can also match on arbitrary strings. With syslog-ng you could just do this: filter f_packets { match("shorewall") and match("DROP") } and then use that filter to get the stuff to the console. And make a "not match..." condition on every other logfile that will log the facility that the netfilter code logs to. Supposing you mark all dropped or rejected packets with "shorewall (something) DROP" Alex
On Mon, 2003-09-29 at 10:31, Alexander Gretencord wrote:> On Monday 29 September 2003 16:33, Tom Eastep wrote: > > On Mon, 2003-09-29 at 08:20, Salvatore wrote: > > > I would like to know if it''s possible to see on the screen every packet > > > that is dropped or rejected. > > > > > > But I don''t want any log wrote on the hard disk... > > > > > > Is it possibile ? > > > > No. > > Yes it is :) Just use a syslog daemon like syslog-ng which can filter not only > by facility but can also match on arbitrary strings. With syslog-ng you could > just do this: > > filter f_packets { match("shorewall") and match("DROP") } > > and then use that filter to get the stuff to the console. And make a "not > match..." condition on every other logfile that will log the facility that > the netfilter code logs to. > > Supposing you mark all dropped or rejected packets with "shorewall (something) > DROP" >Thanks Alex -- I was just drafting a post which suggested that a solution might be available using syslog-ng. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom,
is this off-topic?
I thought it would be handy if we could find somewhere in the shorewall
site a list of common services and the means to limit the IP address and
Ports those services listen to. A page with information like that:
apache: file httpd.conf (usually at /etc/apache/conf/ )
directive listen:
Listen 10.10.10.10:80
to listen in more than one address/port:
Listen 10.10.10.10:80,10.10.10.20:80
squid: file squid.conf (usually at /etc/squid/ )
use file squid.conf, directive http_port:
http_port 10.10.10.10:3128
to listen in more than one address/port:
http_port 10.10.10.10:3128, 10.10.10.20:3128
proftpd: file proftpd.conf (usually at /etc/ )
standalone mode: directive SocketBindTight
port 21
DefaultAddress 10.10.10.10
SocketBindTight On
inetd: There is a patch listed in the site (Faq #4.16) but the doc
says you should use xinetd which gives you more control.
Bind: file named.conf (usually at /etc/ )
statement options, option listen-on:
Options {
[...]
listen-on { 10.10.10.10; 10.10.10.20; };
[...]
};
you could use this option in the zone statement, too.
and so on...
What do you think?
sorry for my bad english. I hope someone else rewrites it before it goes
(if it goes) online.
cheers,
Duda
On Mon, 2003-09-29 at 08:20, Salvatore wrote:> > I don''t understand the very poor guide of: > > 7 debug > 6 info > 5 notice > 4 warning > 3 err > 2 crit > 1 alert > 0 emerg > > i don''t find a guide that say what mean each option.The topic of logging on Unix systems in general (and Linux systems in particular) is totally independent of Shorewall and is not documented further on the Shorewall site. The "very poor guide" gives you pointers to both syslog (8) and syslog.conf (5). These are references to syslog-related man pages which you can view using the "man" command at a shell prompt: man 8 syslog man 5 syslog.conf -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net