Dear all: Im using shorewall 2.0.3a (debian) w/ ULOG. shorewall starts ok, and the firewall is running, but nothing is printed on the logs. I try, for example, to do a connection to a port that is opened on the server but closed by the FW and I get a connection refused. If I stop the firewall, this port is accesible from the outside. I think I''ve followed all the steps on http://shorewall.net/shorewall_logging.html : 1) I''ve installed ulog 0.97-1, and configured it so it logs on /var/log/ulog.log 2) I''ve modified each appearance of "info" to "ULOG" in my config st3:/etc/shorewall# grep ULOG * policy:net all REJECT ULOG policy:all all REJECT ULOG shorewall.conf:LOGUNCLEAN=ULOG What''s going on here? btw, when I run "shorewall check" I got a msg telling me that it''s deprecated. what should I use instead?
Martin Sarsale wrote:> Dear all: > > Im using shorewall 2.0.3a (debian) w/ ULOG. shorewall starts ok, and the > firewall is running, but nothing is printed on the logs. > > I try, for example, to do a connection to a port that is opened on the > server but closed by the FW and I get a connection refused. If I stop > the firewall, this port is accesible from the outside. > > I think I''ve followed all the steps on > http://shorewall.net/shorewall_logging.html : > > 1) I''ve installed ulog 0.97-1, and configured it so it logs on > /var/log/ulog.log > 2) I''ve modified each appearance of "info" to "ULOG" in my config > > st3:/etc/shorewall# grep ULOG * > policy:net all REJECT ULOG > policy:all all REJECT ULOG > shorewall.conf:LOGUNCLEAN=ULOGThat option isn''t even in the 2.0.3a shorewall.conf (or at least it isn''t in the one that *I* released).> > What''s going on here?If you "shorewall status | grep LOG" do you see rules with ULOG as the target?> > btw, when I run "shorewall check" I got a msg telling me that it''s > deprecated. what should I use instead? >The message doesn''t say that "check" is deprecated -- is says "Don''t complain if "check" doesn''t find all of the errors in your configuration". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > st3:/etc/shorewall# grep ULOG * > > policy:net all REJECT ULOG > > policy:all all REJECT ULOG > > shorewall.conf:LOGUNCLEAN=ULOG > > That option isn''t even in the 2.0.3a shorewall.conf (or at least it > isn''t in the one that *I* released).oh! I upgraded from 1.2.x (debian stable) to 2.0.3a, this option comes from the 1.2.x config. I guess Im going to configure it from start, to see what happens> > What''s going on here? > > If you "shorewall status | grep LOG" do you see rules with ULOG as the > target? >yes st3:/lib/modules/2.4.26-1-686-smp/kernel# shorewall status |grep ULOG 2 680 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:INPUT:REJECT:'' queue_threshold 1 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:FORWARD:REJECT:'' queue_threshold 1 57 18776 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:OUTPUT:REJECT:'' queue_threshold 1 0 0 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:all2all:REJECT:'' queue_threshold 1 1 60 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix `Shorewall:net2all:REJECT:'' queue_threshold 1> > btw, when I run "shorewall check" I got a msg telling me that it''s > > deprecated. what should I use instead? > > > > The message doesn''t say that "check" is deprecated -- is says "Don''t > complain if "check" doesn''t find all of the errors in your configuration".Im sorry, I read from the man it was "unsupported" and I thought it was deprecated
Martin Sarsale wrote:>>>st3:/etc/shorewall# grep ULOG * >>>policy:net all REJECT ULOG >>>policy:all all REJECT ULOG >>>shorewall.conf:LOGUNCLEAN=ULOG >> >>That option isn''t even in the 2.0.3a shorewall.conf (or at least it >>isn''t in the one that *I* released). > > > oh! I upgraded from 1.2.x (debian stable) to 2.0.3a, this option comes > from the 1.2.x config. > > I guess Im going to configure it from start, to see what happens > > >>>What''s going on here? >> >>If you "shorewall status | grep LOG" do you see rules with ULOG as the >>target? >> > > yes > > st3:/lib/modules/2.4.26-1-686-smp/kernel# shorewall status |grep ULOGI asked that you grep for LOG, not ULOG but it looks like all logging rules are using ULOG (you might confirm that).> 2 680 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix > `Shorewall:INPUT:REJECT:'' queue_threshold 1 > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix > `Shorewall:FORWARD:REJECT:'' queue_threshold 1 > 57 18776 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix > `Shorewall:OUTPUT:REJECT:'' queue_threshold 1 > 0 0 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix > `Shorewall:all2all:REJECT:'' queue_threshold 1 > 1 60 ULOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix > `Shorewall:net2all:REJECT:'' queue_threshold 1 > > >It looks like Shorewall is doing what it is supposed to do and I would look for the problem in the ulogd configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> It looks like Shorewall is doing what it is supposed to do and I would > look for the problem in the ulogd configuration.It seem to be a problem with Debian and ULOG. Im running a mixed stable/backported from unstable system, so I can''t be sure where''s the real problem. I''ve decided to stick with syslog: I wasn''t very comfortable with the idea of installing another daemon just for sending iptables output to another file. Anyway, Im happy all this adventure forced me to learn about shorewall, which is great, IMHO :)