similar to: More Logging and Actions

Ian has proposed that we change the way that logging interacts with defined actions. Currently, if logging is specified on the invocation of an action (e.g., "AllowFTP:info all all"), all traffic sent to the AllowFTP chain is logged. In most cases, this isn''t what the user intended and other people have expressed surprise about this behavior in the past. The way I see this

>From a diff of my current shorewall firewall script with the new one from the CVS today : $ diff -w /usr/share/shorewall/firewall /usr/src/shorewall/s/firewall [...] 673c910 < for network in $networks; do --- > for networks in $networks; do I don''t think that "for networks in $networks" works well. -- -IAN! Ian! D. Allen Ottawa, Ontario,

I think you can change the existing firewall logging code for log_rule_limit (where you have one case for for LOGRULENUMBERS and another almost identical case without) down to this slightly shorter version with no duplication (excerpt): if [ -n "$LOGRULENUMBERS" ]; then eval rulenum=\$${chain}_logrules [ -z "$rulenum" ] && rulenum=1 fi case

I am getting the following message when Shorewall stops can anybody shed any light on this message and where I should be looking? Thanks root@bobshost:~# shorewall stop Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Stopping Shorewall...Processing /etc/shorewall/stop ... IP Forwarding Enabled

Hello, My hoster updated its kernel packages... It contained some old problems that should have been fixed. My servers have now a wonderful 2.6.21.5 kernel + grsec running. Both are running Debian 4.0 (stable release). mx:/etc/shorewall# iptables --version iptables v1.3.6 mx:/etc/shorewall# uname -a Linux mx.network-hosting.com 2.6.21.5-grsec-xxxx-grs-ipv4-32 #1 SMP Fri Jul 27 17:18:23 CEST

Let''s move this to the Shorewall Development list.... On Tuesday 10 February 2004 03:14 pm, xavier wrote: > here is a patch to allow this : > |ACCEPT<10/sec:20>:debug fw lan:$ntp_servers udp 123 - - - - ntp > > a problem with the patch is that now the logprefix is mandatory. > i''m trying to debug it, but i can''t find the flaw. Also, with

Dear All, Firstly, thank you very much - shorewall is great. I''m not a member of this list, and please forgive me if I am suggesting something stupid, but the following occurs to me, and I thought it might be useful. Why no make it possible to specify zones as well as interfaces in the /etc/shorewall/masq file ? Eg: instead of: eth0 eth1 one might write: net loc (or masq in

As 2.2.0 is nearing release, I''ve begun to think about what I''ll do for 2.3 and I think that it is time for Shorewall to add support for IPV6. Because of parsing ambiguities, the need to maintain upward compatibility with both Shorewall and 6Wall, and different available functionality in IPV4 and IPV6 Netfilter, I believe that it is going to be necessary for some files to be

I''ve tried googling and searching the archives for any mention of this. After updating my shorewall RPMs a little while ago I noticed that there was new options - the Actions.Drop and Actions.Reject functions. My shorewall config still starts up happily, but when it gets to the part where it processes those actions (which I don''t use!) I get a severe delay that can last from 15

Hello all, It''s my first letter on this list, and, my English is not very well. Please take me indulgence for grammar/syntax and over erorrs :)) I have trouble for acl''s of ip range. But, acl for one host (with ip adress) work fine. Please help me for make work acl/find erorr in acl. Becouse I''m new shorewall user, I maked test configuration on Virtual Mashine

I''ve got a rather simple question about the actions packaged with Shorewall. I know there are a group of actions included in actions.std that are processed when Shorewall starts up. Most of these are Allow actions, and I assume they''re intended for administrative ease of use when adding rules. What I want to confirm is that they do not actually take effect unless called

I am running shorewall 2.1.5, recently upgraded from 1.4 and am intrigued with these new actions and have two questions, first, if I create a action.Allow, just like there exists action.Drop and action.Reject, will the actions included in action.Allow be processed just like those in action.Drop? (whether I use this file in /etc/shorewall or /usr/share/shorewall) the most important question:

I just installed stock shorewall-3.4.2 and shorewall-perl-3.9.0 under Cygwin on this Windows XP system. I downloaded the two-interface sample and modified shorewall.conf by adding "SHOREWALL_COMPILER=perl". I copied a capabilities file from my desktop and: teastep@EASTEPNC6000 ~/Configs/test $ shorewall check . Checking... Checking /home/teastep/Configs/test/zones... Checking

I just installed stock shorewall-3.4.2 and shorewall-perl-3.9.0 under Cygwin on this Windows XP system. I downloaded the two-interface sample and modified shorewall.conf by adding "SHOREWALL_COMPILER=perl". I copied a capabilities file from my desktop and: teastep@EASTEPNC6000 ~/Configs/test $ shorewall check . Checking... Checking /home/teastep/Configs/test/zones... Checking

The params file appears to be simply "sourced" by the firewall script, which means one can put any Bourne shell code into it and it will execute it. This feature isn''t documented, so I''m wondering if it can be documented and thus guaranteed to always work. I''d like to dig out the IP parameters of my interface cards from the ifcfg-eth? files and set shorewall

Attached is file "QSG-issues-1.0.txt" containing a numbered and commented list of issues collected from contributors and recent lists activity. It might be cool to have these issues in some spiffy issue tracking system like RT or something, but for a low tech start it''ll probably suffice. COMMENTS - IMHO (no particular order): I have searched the archives for additional

Hello, I''m going to be helping a friend setup Shorewall in place of his Cisco router on his home network. Shorewall will be acting as the router/firewall gateway for internet access for his home LAN. His connection to the ISP is via PPPOE. Nothing unfamiliar here to me. It will be a standard 2 interface setup. My curiosity was peaked when he said that he is going to be installing

hi, i create rule such action.AllowPostGrey: ----------------------------------------------- ###################################################################################### #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP ACCEPT $A_IP $PORTAL_IP tcp 10023 ACCEPT

Hi all in the ShoreWall community, [please CC me since I''m not on the list] I had been using FIAIF for a little while, and the setup of ShoreWall has been much easier, the config for each operation in one place, and I''m very happy with it. That said, it looks like one of the concepts could be taken a bit further. In this case, it is actions. To get the process started, I

This article describes how to implement "Port Knocking" in Shorewall. http://shorewall.net/PortKnocking.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key