Tornhoof
2014-Jun-20 18:03 UTC
Problems with Shorewall 4.6.1.1 and Portknocking Events example
Hi, I previously used (4.5.x, 4.6.0) the following Portknocking
configuration (from here http://shorewall.net/Events.html):
/etc/shorewall/actions:
#ACTION OPTION DESCRIPTION
SSHKnock #SSH Port Knocking
/etc/shorewall/action.SSHKnock:
#
# Shorewall version 4 - SSH_BLACKLIST Action
#
?format 2
###############################################################################
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
- - tcp 22
SetEvent(SSH,ACCEPT) - - tcp 1600
ResetEvent(SSH,DROP:info)
/etc/shorewall/rules
#
# Knocking on the ssh port
#
DNAT- net loc:192.168.128.2 tcp 22
SSHKnock:info net $FW tcp
1599,1600,1601
SSHKnock net loc:192.168.128.2 tcp 22
After updating to 4.6.1.1, I had the following warnings:
Jun 20 18:27:34 WARNING: The destination zone (loc) is ignored in DNAT
rules /etc/shorewall/rules (line 30)
I had to change the DNAT- line and remove the loc:
You might wan to change your example at
http://shorewall.net/PortKnocking.html and remove the loc: in the DNAT-
line.
I also received the following error:
Jun 20 18:27:35 ERROR: -j is only allowed when the ACTION is INLINE with
no parameter /usr/share/shorewall/action.IfEvent (line 139)
from /etc/shorewall/action.SSHKnock (line 8)
from /etc/shorewall/rules (line 31)
I switched to the deprecated manual chain example http://shorewall.neill
t/PortKnocking.html to get my PortKnocking working again.
I would still prefer to use the Events system, how can I use get around
this error?
Best Regards
Torni
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems