Hello, I want not to log some dropped packets going from net to fw, i.e. to exclude some ports. For example, I get lots of denied SPT=4672 DPT=7476 packets in /var/log/messages. I know I can probably do this by using ulog or some other logging system and writing some rules to exclude "SPT=4672", but is it possible for shorewall not to log some ports? Sorry if it is obvious, but I didn''t find it in docs. There is a LOG ACTION in rules, but I think I''d need something like that in policy file: #SOURCE DEST POLICY LOG LEVEL LOG PORTS net fw DROP info !4672,4673 I.e. to log everything, except ports 4672 and 4673 to info level (and to be able to specify both source and destination ports). Is it a good idea?:) Regards, Nerijus
Nerijus Baliunas wrote:> There is a LOG ACTION in rules, but I think I''d > need something like that in policy file: > > #SOURCE DEST POLICY LOG LEVEL LOG PORTS > net fw DROP info !4672,4673 > > I.e. to log everything, except ports 4672 and 4673 to info level (and to > be able to specify both source and destination ports). Is it a good idea?:)I don''t think so. There are already two ways to do what you want -- why would I want to spend my time implementing, documenting and supporting yet another way. The two ways are: a) The solution given in the answer to FAQ #6b (shorewall.net/FAQ.htm#faq6b) b) Blacklist in /etc/shorewall/blacklist the protocols and ports that you want to silently drop and set the following in shorewall.conf: BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL I use solution b). See shorewall.net/myfiles.htm#id2452228. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key
On Sun, 08 May 2005 17:27:52 -0700 Tom Eastep <teastep@shorewall.net> wrote:> a) The solution given in the answer to FAQ #6b > (shorewall.net/FAQ.htm#faq6b) > > b) Blacklist in /etc/shorewall/blacklist the protocols and ports that > you want to silently drop and set the following in shorewall.conf: > > BLACKLIST_DISPOSITION=DROP > BLACKLIST_LOGLEVEL> > I use solution b). See shorewall.net/myfiles.htm#id2452228.Sorry, I overlooked it. That fits my needs perfectly, thanks! As I understand, it''s impossible to use source port in b), so I need to use a) like that if I want to block source ports: DROP net fw udp - 10619 ? Regards, Nerijus
Nerijus Baliunas wrote:> As I understand, it''s impossible to use source port in b), so I need > to use a) like that if I want to block source ports: > > DROP net fw udp - 10619 > ?You are correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key
On Sun, 08 May 2005 17:27:52 -0700 Tom Eastep <teastep@shorewall.net> wrote:> b) Blacklist in /etc/shorewall/blacklist the protocols and ports that > you want to silently drop and set the following in shorewall.conf: > > BLACKLIST_DISPOSITION=DROP > BLACKLIST_LOGLEVELBTW, it seems with blacklists I can solve the old problem with not dropping the existing connections when restarting firewall with new rules! For example, I restart shorewall with rules denying p2p access at 8 am, but existing connections still work. So if I use BLACKLISTNEWONLY=No (Consult blacklists for all packets) and put ports/hosts in /etc/shorewall/blacklist, existing p2p connections will be dropped, yes? If yes, it should be put in the FAQ (if not already there) :) Regards, Nerijus