I''m using Shorewall 2.4.0 under Fedora Core 4. I''m using ULOG
to log my
firewall''s dropped connections, but I want to drop a couple ports
silently
as they''re taking up too much log space. According to the rules file:
"The
ACTION may optionally be followed by ":" and a syslog log level (e.g,
REJECT:info or DNAT:debug). This causes the packet to be logged at the
specified level.... The special log level ''none!'' suppresses
logging by the
action."
So I tried the following:
DROP:none! net loc udp 6981
However this does not work...shorewall crashes upon restart:
[root@firewall ~]# service shorewall restart
Restarting shorewall: iptables v1.3.0: log-level `none'' unknown Try
`iptables -h'' or ''iptables --help'' for more
information.
ERROR: Command "/sbin/iptables -A net2loc -p tcp --dport 6981 -j LOG
--log-level none --log-prefix "Shorewall:net2loc:DROP:"" Failed
/etc/init.d/functions: line 83: 3350 Terminated $nice $*
[FAILED]
Am I reading this totally wrong, or is this a bug? I should note that using
the DROP without the none! works properly; however the drops are still all
logged, so it really doesn''t fix my problem.
Thanks,
Matt
> I''m using Shorewall 2.4.0 under Fedora Core 4. I''m using ULOG to log my > firewall''s dropped connections, but I want to drop a couple portssilently> as they''re taking up too much log space. According to the rules file:"The> ACTION may optionally be followed by ":" and a syslog log level (e.g, > REJECT:info or DNAT:debug). This causes the packet to be logged at the > specified level.... The special log level ''none!'' suppresses logging bythe> action." > > So I tried the following: > DROP:none! net loc udp 6981 > > However this does not work...shorewall crashes upon restart: > > [root@firewall ~]# service shorewall restart > Restarting shorewall: iptables v1.3.0: log-level `none'' unknown Try > `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -A net2loc -p tcp --dport 6981 -j LOG > --log-level none --log-prefix "Shorewall:net2loc:DROP:"" Failed > /etc/init.d/functions: line 83: 3350 Terminated $nice $* > [FAILED] > > > Am I reading this totally wrong, or is this a bug? I should note thatusing> the DROP without the none! works properly; however the drops are stillall> logged, so it really doesn''t fix my problem. > > Thanks, > Matt >Here the whole blurb: # If the ACTION names an action defined in # /etc/shorewall/actions or in # /usr/share/shorewall/actions.std then: # # - If the log level is followed by "!'' then all rules # in the action are logged at the log level. # # - If the log level is not followed by "!" then only # those rules in the action that do not specify # logging are logged at the specified level. # # - The special log level ''none!'' suppresses logging # by the action. # Think you can only use ''none!'' with an pre-defined action like: action.DropSMB, action.AllowPing. try: DROP net loc udp 6981 Jerry
Matt "Cyber Dog" LaPlante wrote:> ... > However this does not work...shorewall crashes upon restart: > > [root@firewall ~]# service shorewall restart > Restarting shorewall: iptables v1.3.0: log-level `none'' unknown Try > `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -A net2loc -p tcp --dport 6981 -j LOG > --log-level none --log-prefix "Shorewall:net2loc:DROP:"" Failed > /etc/init.d/functions: line 83: 3350 Terminated $nice $* > [FAILED] > > > Am I reading this totally wrong, or is this a bug? I should note that using > the DROP without the none! works properly; however the drops are still all > logged, so it really doesn''t fix my problem.I think it''s a bug that it crashes shorewall. Would you mind sending me a copy of your config so i can try to patch it? -- Paul <http://paulgear.webhop.net> -- Did you know? Microsoft Internet Explorer and Outlook have a poor track record for security <http://www.kb.cert.org/vuls/id/713878>. Why not try one of the more secure alternatives from <http://mozilla.org>?
Matt "Cyber Dog" LaPlante wrote:> ... >>Matt "Cyber Dog" LaPlante wrote: >> >>>... >>>However this does not work...shorewall crashes upon restart: >>> >>>[root@firewall ~]# service shorewall restart >>>Restarting shorewall: iptables v1.3.0: log-level `none'' unknown Try >>>`iptables -h'' or ''iptables --help'' for more information. >>> ERROR: Command "/sbin/iptables -A net2loc -p tcp --dport 6981 -j >> >>LOG >> >>>--log-level none --log-prefix "Shorewall:net2loc:DROP:"" Failed >>>/etc/init.d/functions: line 83: 3350 Terminated $nice $* >>> [FAILED] >>> >>> >>> Am I reading this totally wrong, or is this a bug? I should note >>> that using the DROP without the none! works properly; however the >>> drops are still all logged, so it really doesn''t fix my problem. >> >>I think it''s a bug that it crashes shorewall. Would you mind sending me >>a copy of your config so i can try to patch it?Hi Matt, Please find attached a patch to /usr/share/shorewall/firewall. It has received /minimal/ testing on my network, but appears to fix the problem of Shorewall crashing. Note that what you are trying to achieve should be done via "DROP:none", not "DROP:none!", as per the following extract from the rules file. (The log level ''none!'' only applies to custom actions, not to the inbuilt ''DROP'', ''REJECT'', etc.) # The ACTION may optionally be followed # by ":" and a syslog log level (e.g, REJECT:info or # DNAT:debug). This causes the packet to be # logged at the specified level. # # If the ACTION names an action defined in # /etc/shorewall/actions or in # /usr/share/shorewall/actions.std then: # # - If the log level is followed by "!'' then all rules # in the action are logged at the log level. # # - If the log level is not followed by "!" then only # those rules in the action that do not specify # logging are logged at the specified level. # # - The special log level ''none!'' suppresses logging # by the action. -- Paul <http://paulgear.webhop.net> -- Did you know? Most email-borne viruses use a false sender address, so you cannot track down the sender using that address. Instead, keep your virus scanning software up-to-date and just delete any suspicious emails you receive.
Paul Gear wrote:> ... > Please find attached a patch to /usr/share/shorewall/firewall. It has > received /minimal/ testing on my network, but appears to fix the problem > of Shorewall crashing. > ... > Note that what you are trying to achieve should be done via "DROP:none", > not "DROP:none!", as per the following extract from the rules file. > (The log level ''none!'' only applies to custom actions, not to the > inbuilt ''DROP'', ''REJECT'', etc.)For the benefit of newbies reading the archives, the customary way to apply a patch like this is to save it in /tmp on your Shorewall system and run: cd /usr/share/shorewall patch --backup < /tmp/firewall.patch This will change /usr/share/shorewall/firewall to be the patched version, and save the original /usr/share/shorewall/firewall.orig so you can revert to it easily. -- Paul <http://paulgear.webhop.net> -- Did you know? OpenOffice.org has built-in PDF creation. Better yet, it''s compatible with Microsoft Office, and free! Find out more at <http://www.openoffice.org>.