Hello,
I upgraded some of my boxes from shorewall version 4.5.3-1 to 4.5.5.1
release, available in Robertos Debian repository. On one of them is the
LOGFORMAT string, defined in shorewall.conf, replaced by the iptables
option "--log-prefix". I can''t determine what the problem
really is.
Syslog:
Jun 29 22:44:40 server kernel: [858843.474143] --log-prefixIN=eth0
OUT= MAC=00:0e:7f:7d:72:32:74:8e:f8:60:e0:41:08:00
SRC=192.168.1.23 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=122
ID=49330 PROTO=TCP SPT=29454 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
# shorewall show
[…]
4 605 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "--log-prefix"
[…]
/etc/shorewall/shorewall.conf:
[…]
BLACKLIST_LOGLEVELLOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOGALLNEWLOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT[…]
$ uname -r -v -i -o
3.2.0-2-686-pae #1 SMP Mon Jun 11 18:27:04 UTC 2012 unknown GNU/Linux
$ cat /etc/debian_version
wheezy/sid
# iptables --version
iptables v1.4.14
Any ideas what could be the problem? If you need further information,
tell me what you need to know.
Something else, which have nothing to do with the
problem described above. When I restart shorewall with
STARTUP_ENABLED=No, I get a very nice error message, but with a wrong
shorewall.conf path in it.
# shorewall restart
ERROR: Shorewall startup is disabled. To enable startup, set
STARTUP_ENABLED=Yes in /etc/shorewall.conf
I think ${CONFDIR} should be ${g_confdir} in this context. Patch is
attached.
Thanks for your help!
Cheers,
Daniel.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 06/07/12 14:49, Daniel Meißner wrote:> I upgraded some of my boxes from shorewall version 4.5.3-1 to 4.5.5.1 > release, available in Robertos Debian repository. On one of them is the > LOGFORMAT string, defined in shorewall.conf, replaced by the iptables > option "--log-prefix". I can''t determine what the problem really is.This is a bug in iptables that is triggered by compiling iptables with gcc 4.7. See the following links for more info: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678499 http://bugzilla.netfilter.org/show_bug.cgi?id=782 http://bugzilla.netfilter.org/show_bug.cgi?id=774 The latter includes a patch that I am successfully using on my servers running Debian Wheezy. HTH, Chris -- Chris Boot bootc@bootc.net ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 07/06/2012 06:49 AM, Daniel Meißner wrote:> Something else, which have nothing to do with the > problem described above. When I restart shorewall with > STARTUP_ENABLED=No, I get a very nice error message, but with a wrong > shorewall.conf path in it. > > # shorewall restart > ERROR: Shorewall startup is disabled. To enable startup, set > STARTUP_ENABLED=Yes in /etc/shorewall.conf > > I think ${CONFDIR} should be ${g_confdir} in this context. Patch is > attached.Applied. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 7/6/2012 10:12 AM, Chris Boot wrote:> On 06/07/12 14:49, Daniel Meißner wrote: >> I upgraded some of my boxes from shorewall version 4.5.3-1 to 4.5.5.1 >> release, available in Robertos Debian repository. On one of them is the >> LOGFORMAT string, defined in shorewall.conf, replaced by the iptables >> option "--log-prefix". I can''t determine what the problem really is. > This is a bug in iptables that is triggered by compiling iptables with > gcc 4.7. See the following links for more info: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678499 > http://bugzilla.netfilter.org/show_bug.cgi?id=782 > http://bugzilla.netfilter.org/show_bug.cgi?id=774 > > The latter includes a patch that I am successfully using on my servers > running Debian Wheezy. > > HTH, > Chris >And for Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=825796 Bill ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/