Hi Folks Merry Christmas and all that. I am running the latest development release of shorewall. I just did an upgrade from Shorewall 2.4 and continued using my older config files. One of my rules in my rules file is: AllowPing:info net $FW This allows ICMP to work on my external FW interface. However, in 2.4 the ":info" bit would ensure that every ICMP request was logged. However, under the latest shorewall version none of the ICMP requests are being logged whether they are dropped (ie I remove the rule) or whether they are accepted (ie the rule remains as is). Any ideas on what I am doing wrong ? Regards, Mark
On Friday 23 December 2005 17:35, Mark Vos wrote:> I am running the latest development release of shorewall. I just did an > upgrade from Shorewall 2.4 and continued using my older config files.There is no "latest development release". The current development series is 3.1 and there have been no files yet released into that series.> This allows ICMP to work on my external FW interface. However, in 2.4 the > ":info" bit would ensure that every ICMP request was logged.It allows ICMP "echo-request" packets. It has no effect on other ICMP packet types.> However, under > the latest shorewall version none of the ICMP requests are being logged > whether they are dropped (ie I remove the rule) or whether they are accepted > (ie the rule remains as is).I''ll look at the problem when I understand what release you are running (type "shorewall version" at a root shell prompt). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 23 December 2005 19:56, Mark Vos wrote:> shorewall version > 3.0.3 > > I have ensured that I have the required changes in shorewall.conf as per > the instructions on your web page. > > As a work around, I''ve changed the rule to: > > ACCEPT:info net $FW ICMP 8 - > > That rules logs fine.As I mentioned in a private email to Mark, the 3.0 syntax (see the release notes) also works: Ping/ACCEPT:INFO net $FW A corrected firewall script is available in the errata. See http://www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.3/known_problems.txt -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom! -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Saturday, 24 December 2005 3:43 PM To: Mark Vos; Shorewall Users Subject: Re: [Shorewall-users] Logging issue On Friday 23 December 2005 19:56, Mark Vos wrote:> shorewall version > 3.0.3 > > I have ensured that I have the required changes in shorewall.conf as per > the instructions on your web page. > > As a work around, I''ve changed the rule to: > > ACCEPT:info net $FW ICMP 8 - > > That rules logs fine.As I mentioned in a private email to Mark, the 3.0 syntax (see the release notes) also works: Ping/ACCEPT:INFO net $FW A corrected firewall script is available in the errata. See http://www1.shorewall.net/pub/shorewall/3.0/shorewall-3.0.3/known_problems.t xt -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click