Hi Group,
Congratulation about shorewall.org !
No question shorewall is the best tool I know for playing with iptables
rules!
Second I wonder if any one can help me with the following:
1. I''m trying to configure a rule with the NFLOG option.
I manage to make it work with ULOG withouy any problem, but making it with
NFLOG doesn''t seems to work :-(
My question is if the netfilter userspace log daemon (ULOG) knows how to
capture NFLOG msg.
At the moment I''m using ULOG version 1.X.
Is this only supported via ULOG version 2.0?
I''m using ulog version 1 cause this is the native version my CentOS
machine
support, and install it from source requires me to update a lot of packages
with I want to avoid.
2. What is the true different between ULOG to NFLOG?
3. I''m not sure I got it right from the documentation at
http://www.shorewall.net/shorewall_logging.html
Where I configure the shorewall LEVEL?
It says is has the following:
*debug,info,error, etc....*
but I don''t see where to change it under the shore-wall configuration
4. A rule like this
ACCEPT:info(tcp_options,ip_options,macdecode,tcp_sequence) fw all
all
Doesn''t seems to work.
I''m getting Invalid log level
(info(tcp_options,ip_options,macdecode,tcp_sequence)
Why? any idea?
5. Under ULOG, u have the option to configure nlgroup. the default is 1,
but say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save logs
to file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done? is this
mean I need run 3 different ULOG process?
I didn''t manage to find how to do it in ulog.conf
Thanks
Sassy
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
At 10/31/2013 08:56 AM, you wrote:>Hi Group, > >Congratulation about <http://shorewall.org>shorewall.org ! >No question shorewall is the best tool I know for playing with iptables rules! > >Second I wonder if any one can help me with the following: > >1. I''m trying to configure a rule with the NFLOG option. >I manage to make it work with ULOG withouy any problem, but making it with NFLOG doesn''t seems to work :-( >My question is if the netfilter userspace log daemon (ULOG) knows how to capture NFLOG msg. >At the moment I''m using ULOG version 1.X. >Is this only supported via ULOG version 2.0? > >I''m using ulog version 1 cause this is the native version my CentOS machine support, and install it from source requires me to update a lot of packages with I want to avoid. > >2. What is the true different between ULOG to NFLOG? > >3. I''m not sure I got it right from the documentation at <http://www.shorewall.net/shorewall_logging.html>http://www.shorewall.net/shorewall_logging.html > >Where I configure the shorewall LEVEL? >It says is has the following: > >debug,info,error, etc.... > >but I don''t see where to change it under the shore-wall configuration > >4. A rule like this >ACCEPT:info(tcp_options,ip_options,macdecode,tcp_sequence) fw all all > >Doesn''t seems to work. >I''m getting Invalid log level (info(tcp_options,ip_options,macdecode,tcp_sequence) > >Why? any idea? > >5. Under ULOG, u have the option to configure nlgroup. the default is 1, but say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save logs to file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done? is this mean I need run 3 different ULOG process? >I didn''t manage to find how to do it in ulog.conf > > >Thanks >SassyI''m running on Arch Linux, so I may be way out of touch with older systems and the following may not match with your system. I''m also a somewhat new with shorewall/iptables. I found #shorewall check -r to be very helpful when changing the shorewall files. I believe you need ulogd2 and kernel > 2.6.14 for NFLOG NFLOG is part of ulogd (http://www.netfilter.org/projects/ulogd/index.html). ULOG is entering end-of-life. NFLOG requires support to be compiled into the kernel. # zcat /proc/config.gz | grep NFLOG CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_BRIDGE_EBT_NFLOG=m Use NFLOG as your log level, and as with ULOG you can specify the group NFLOG(1,0,1). NFLOG may default to group 0? Make sure you have your NFLOG filter stack correct in /etc/ulogd.conf. See /usr/share/doc/ulogd/ulogd.conf for some example stacks. Example rule I have: SECTION NEW # Drop blacklist ipset and log to ulogd.blacklist DROP:NFLOG(4,0,1) net:+blset all and /etc/ulogd.conf ~~~~~~~~~~~~ [global] logfile="/var/log/ulogd.log" loglevel=5 rmem=131071 bufsize=150000 plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" # shorewall normal log packets group 1 stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # shorewall log blacklist group 4 stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu3:LOGEMU [log1] group=1 #sync=1 [log4] group=4 [emu1] file=/var/log/ulogd.syslogemu [emu3] file=/var/log/ulogd.blacklist ~~~~~~~ and add logrotate for the new log. Wayne S ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
Hi Wanye Thanks for the replay! Was wonder if NFLOG support accounting module. At least shorewall support this according to http://www.shorewall.net/shorewall-accounting.html but I didn''t manage to make it working Thanks Sassy On Sat, Nov 2, 2013 at 1:34 AM, Wayne S <linux@zuik.net> wrote:> At 10/31/2013 08:56 AM, you wrote: > > Hi Group, > > Congratulation about shorewall.org ! > No question shorewall is the best tool I know for playing with iptables > rules! > > Second I wonder if any one can help me with the following: > > 1. I''m trying to configure a rule with the NFLOG option. > I manage to make it work with ULOG withouy any problem, but making it with > NFLOG doesn''t seems to work :-( > My question is if the netfilter userspace log daemon (ULOG) knows how to > capture NFLOG msg. > At the moment I''m using ULOG version 1.X. > Is this only supported via ULOG version 2.0? > > I''m using ulog version 1 cause this is the native version my CentOS > machine support, and install it from source requires me to update a lot of > packages with I want to avoid. > > 2. What is the true different between ULOG to NFLOG? > > 3. I''m not sure I got it right from the documentation at > http://www.shorewall.net/shorewall_logging.html > > Where I configure the shorewall LEVEL? > It says is has the following: > > > *debug,info,error, etc.... * > but I don''t see where to change it under the shore-wall configuration > > 4. A rule like this > ACCEPT:info(tcp_options,ip_options,macdecode,tcp_sequence) fw > all all > > Doesn''t seems to work. > I''m getting Invalid log level > (info(tcp_options,ip_options,macdecode,tcp_sequence) > > Why? any idea? > > 5. Under ULOG, u have the option to configure nlgroup. the default is 1, > but say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save logs > to file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done? is this > mean I need run 3 different ULOG process? > I didn''t manage to find how to do it in ulog.conf > > > Thanks > Sassy > > > I''m running on Arch Linux, so I may be way out of touch with older > systems and the following may not match with your system. > I''m also a somewhat new with shorewall/iptables. I found > #shorewall check -r > to be very helpful when changing the shorewall files. > > I believe you need ulogd2 and kernel > 2.6.14 for NFLOG > > NFLOG is part of ulogd (http://www.netfilter.org/projects/ulogd/index.html > ). > ULOG is entering end-of-life. NFLOG requires support to be compiled > into the kernel. > > # zcat /proc/config.gz | grep NFLOG > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_BRIDGE_EBT_NFLOG=m > > Use NFLOG as your log level, and as with ULOG you can specify the > group NFLOG(1,0,1). NFLOG may default to group 0? > > Make sure you have your NFLOG filter stack correct in /etc/ulogd.conf. > See /usr/share/doc/ulogd/ulogd.conf for some example stacks. > > Example rule I have: > > SECTION NEW > > # Drop blacklist ipset and log to ulogd.blacklist > DROP:NFLOG(4,0,1) net:+blset all > > and /etc/ulogd.conf > ~~~~~~~~~~~~ > [global] > logfile="/var/log/ulogd.log" > loglevel=5 > rmem=131071 > bufsize=150000 > > plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" > plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" > plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" > plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" > plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so" > plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" > > # shorewall normal log packets group 1 > > stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU > > # shorewall log blacklist group 4 > > stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu3:LOGEMU > > [log1] > group=1 > #sync=1 > > [log4] > group=4 > > [emu1] > file=/var/log/ulogd.syslogemu > > [emu3] > file=/var/log/ulogd.blacklist > ~~~~~~~ > > and add logrotate for the new log. > > Wayne S > > > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
On 10/31/2013 8:56 AM, Sassy Natan wrote:> Hi Group, > > Congratulation about shorewall.org <http://shorewall.org> ! > No question shorewall is the best tool I know for playing with iptables > rules!Thanks> > Second I wonder if any one can help me with the following: > > 1. I''m trying to configure a rule with the NFLOG option. > I manage to make it work with ULOG withouy any problem, but making it > with NFLOG doesn''t seems to work :-(''It doesn''t work'' isn''t very helpful. Does Shorewall complain about the rule or are you just not getting any packets logged. Based on your next question, I assume the latter.> My question is if the netfilter userspace log daemon (ULOG) knows how to > capture NFLOG msg. > At the moment I''m using ULOG version 1.X. > Is this only supported via ULOG version 2.0?NFLOG is only supportede with ULOG 2.> > I''m using ulog version 1 cause this is the native version my CentOS > machine support, and install it from source requires me to update a lot > of packages with I want to avoid. > > 2. What is the true different between ULOG to NFLOG? >NFLOG has replaced ULOG. ULOG only works with IPv4; NFLOG works with both IPv4 and IPv6. From iptables-extensions(8) NFLOG This target provides logging of matching packets. When this target is set for a rule, the Linux kernel will pass the packet to the loaded logging backend to log the packet. This is usually used in combination with nfnetlink_log as logging backend, which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets. Like LOG, this is a non-terminating target, i.e. rule traversal continues at the next rule. --nflog-group nlgroup The netlink group (0 - 2^16-1) to which packets are (only applicable for nfnetlink_log). The default value is 0. --nflog-prefix prefix A prefix string to include in the log message, up to 64 characters long, useful for distinguishing messages in the logs. --nflog-range size The number of bytes to be copied to userspace (only applicable for nfnetlink_log). nfnetlink_log instances may specify their own range, this option overrides it. --nflog-threshold size Number of packets to queue inside the kernel before sending them to userspace (only applicable for nfnetlink_log). Higher values result in less overhead per packet, but increase delay until the packets reach userspace. The default value is 1. ULOG (IPv4-specific) This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a netlink socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. Like LOG, this is a "non-terminating target", i.e. rule traversal continues at the next rule. --ulog-nlgroup nlgroup This specifies the netlink group (1-32) to which the packet is sent. Default value is 1. --ulog-prefix prefix Prefix log messages with the specified prefix; up to 32 characters long, and useful for distinguishing messages in the logs. --ulog-cprange size Number of bytes to be copied to userspace. A value of 0 always copies the entire packet, regardless of its size. Default is 0. --ulog-qthreshold size Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility).> 3. I''m not sure I got it right from the documentation > at http://www.shorewall.net/shorewall_logging.html > > Where I configure the shorewall LEVEL? > It says is has the following: > > *debug,info,error, etc....* > > but I don''t see where to change it under the shorewall configurationYou need to keep reading in that section. There are many settings in shorewall.conf that accept a log level, and rules in may files also allow a log level.> > 4. A rule like this > ACCEPT:info(tcp_options,ip_options,macdecode,tcp_sequence) fw > all all > > Doesn''t seems to work. > I''m getting Invalid log level > (info(tcp_options,ip_options,macdecode,tcp_sequence) > > Why? any idea?When you ask for help, it is important to tell us which Shorewall version you are running (see the output of ''shorewall version''). Your version may be too old.> > 5. Under ULOG, u have the option to configure nlgroup. the default is 1, > but say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save > logs to file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done? > is this mean I need run 3 different ULOG process? > I didn''t manage to find how to do it in ulog.confI believe that with ulogd 1, you need to run separate daemons. In version 2, you can configure multiple sources. Disclaimer -- I wrote Shorewall, not ulogd :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don''t have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk