Discussion:
[Shorewall-users] Logging: missing informations like IP and protocol. Onlyc interfaces and MAC addr shown
Gaétan QUENTIN
2016-12-07 13:51:41 UTC
Permalink
Hi,

I have configured shorewall that way:

The host:
- ubuntu 16.10
- shorewall 5.0.11-1.
- only 1 nic

shorewall:
/etc/shorewall/shorewall.conf:
INVALID_LOG_LEVEL=$LOG:invlev
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
MACLIST_LOG_LEVEL=$LOG:maclist
RPFILTER_LOG_LEVEL=$LOG:rpfilter
SFILTER_LOG_LEVEL=$LOG:filter
SMURF_LOG_LEVEL=$LOG:smurf
TCP_FLAGS_LOG_LEVEL=$LOG:tcp-flags


/etc/shorewall/params:
LOG=NFLOG

/etc/shorewall/zones:
fw firewall
net ipv4

/etc/shorewall/policy:
$FW all ACCEPT
net all DROP $LOG

/etc/shorewall/interfaces:
net enp0s20f0
tcpflags,logmartians,nosmurfs,sourceroute=0

/etc/shorewall/rules:
Invalid(DROP):$LOG net $FW tcp
Ping(ACCEPT):$LOG net $FW


ulogd:
[global]
stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU


[firewall]
file="/var/log/firewall.log"
sync=1


RESULTS
------------------

when forbidden traffic arrives , i see only that in log file:
/var/log/firewall.log:

Shorewall:net-fw:DROP: IN=enp0s20f0 OUT=
MAC=00:07:cb:03:f6:84:cc:46:d6:b2:c9:f1:08:00 LEN=0 TOS=00 PREC=0x00 TTL=0
ID=0 PROTO=0 MARK=0


NO IP,port or protocol info.

How to change it?
--
Gaétan QUENTIN
Tom Eastep
2016-12-08 00:19:52 UTC
Permalink
Hi,
The host: - ubuntu 16.10 - shorewall 5.0.11-1. - only 1 nic
INVALID_LOG_LEVEL=$LOG:invlev LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No MACLIST_LOG_LEVEL=$LOG:maclist
RPFILTER_LOG_LEVEL=$LOG:rpfilter SFILTER_LOG_LEVEL=$LOG:filter
SMURF_LOG_LEVEL=$LOG:smurf TCP_FLAGS_LOG_LEVEL=$LOG:tcp-flags
/etc/shorewall/params: LOG=NFLOG
/etc/shorewall/zones: fw firewall net ipv4
/etc/shorewall/policy: $FW all ACCEPT
net all DROP $LOG
/etc/shorewall/interfaces: net enp0s20f0
tcpflags,logmartians,nosmurfs,sourceroute=0
/etc/shorewall/rules: Invalid(DROP):$LOG net
$FW tcp Ping(ACCEPT):$LOG net
$FW
ulogd: [global]
stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,firewall:LOGEMU
[firewall] file="/var/log/firewall.log" sync=1
RESULTS ------------------
Shorewall:net-fw:DROP: IN=enp0s20f0 OUT=
MAC=00:07:cb:03:f6:84:cc:46:d6:b2:c9:f1:08:00 LEN=0 TOS=00
PREC=0x00 TTL=0 ID=0 PROTO=0 MARK=0
NO IP,port or protocol info.
How to change it?
Which ulogd plugins are you loading?

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Gaétan QUENTIN
2016-12-08 08:23:30 UTC
Permalink
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
The host: - ubuntu 16.10 - shorewall 5.0.11-1. - only 1 nic
INVALID_LOG_LEVEL=$LOG:invlev LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No MACLIST_LOG_LEVEL=$LOG:maclist
RPFILTER_LOG_LEVEL=$LOG:rpfilter SFILTER_LOG_LEVEL=$LOG:filter
SMURF_LOG_LEVEL=$LOG:smurf TCP_FLAGS_LOG_LEVEL=$LOG:tcp-flags
/etc/shorewall/params: LOG=NFLOG
/etc/shorewall/zones: fw firewall net ipv4
/etc/shorewall/policy: $FW all ACCEPT
net all DROP $LOG
/etc/shorewall/interfaces: net enp0s20f0
tcpflags,logmartians,nosmurfs,sourceroute=0
/etc/shorewall/rules: Invalid(DROP):$LOG net
$FW tcp Ping(ACCEPT):$LOG net
$FW
ulogd: [global]
stack=log:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,
print1:PRINTPKT,firewall:LOGEMU
[firewall] file="/var/log/firewall.log" sync=1
RESULTS ------------------
Shorewall:net-fw:DROP: IN=enp0s20f0 OUT=
MAC=00:07:cb:03:f6:84:cc:46:d6:b2:c9:f1:08:00 LEN=0 TOS=00
PREC=0x00 TTL=0 ID=0 PROTO=0 MARK=0
NO IP,port or protocol info.
How to change it?
Which ulogd plugins are you loading?
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYSKcoAAoJEJbms/JCOk0QiukP+gPGt0x2mzglOPeMAqzVZqyp
Hef1SDJKMr3bzDo2BQidfnxof547hmEnEM92vjx5AVhCqhuys/h6oH4ioIzvziPa
T/3dC3snBnQ+yQfWZ1m+W6svctd1fc89n4fPZlm9+zfQpV52gBqhKaStdqgT0q2+
3+VoILwgVvQVDqNXocqgvzNJPEnlAgQyw0NDHoT/Xe+4dNgTfSsdT62IfyyCHRs0
z/iGKbm1h1033ms1ipwPnU6elhql204GWMhk5z2dEWdvpj26eJeVzYOocoApZ8dh
oA21w7XNjqVgFBOJqz0S9grP2E8Lr3kQ/f/A7TCyBlmzxnOmgOSpKdS2TYLpRmhf
HkgZG5l35hFrouxnzqZs8z2BLIul0leIwjqX9cXQbU923iSqIq8+VTi3lmox2reH
Fi3aTCDkuzvKt0YwCW8o2Y20VXUUCGMwqrLlqo3Nj7q642zMPlL09rkiPRpropjp
fM0vWsopt4oqy9tnKnQRtmDbJM2DgXqLBDkdUG7DXizL8P9UalS2TO0VnNS5K0si
2cdTb4cpkANvPZasfUL7ovURNAfXxsI09ud5B9cCF7DAs02Sf1smcNvGGZTyGdGh
EeOO8u1+6OxasuFLMFBFyvtRXBX5oBqwQIB5PBSNdRTNNMqbqlzP6dw0efvIP/2g
lMydoCDgX9gaZBfoeO0d
=iUHB
-----END PGP SIGNATURE-----
------------------------------------------------------------
------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Gaétan QUENTIN
Tom Eastep
2016-12-08 16:45:44 UTC
Permalink
Post by Gaétan QUENTIN
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
The only thing that I can suggest that you try is changing your
/etc/shorewall/params entry to:

LOG="NFLOG(0,128,1)"

That should not be necessary, as LOG=NFLOG should work (and does for
me). "NFLOG" by itself is equivalent to "NFLOG(0,0,1)" and the second
"0" indicates that there is no limit on the amount of the packet to log.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Gaétan QUENTIN
2016-12-08 18:13:36 UTC
Permalink
It works!
Thanks a lot Tom.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Gaétan QUENTIN
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so"
plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so"
The only thing that I can suggest that you try is changing your
LOG="NFLOG(0,128,1)"
That should not be necessary, as LOG=NFLOG should work (and does for
me). "NFLOG" by itself is equivalent to "NFLOG(0,0,1)" and the second
"0" indicates that there is no limit on the amount of the packet to log.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYSY44AAoJEJbms/JCOk0Q6mgP/jwqbjcUVD20hB0+Tmjo9sgc
1YAO9s0LJvtUwyyrXeFbdvPnBlQRuanZSPUqMLFzg4ApfM8Tx2vQwlabKrFprVjR
I/aTK2O986Gpi1GdHrYKLl2R+jKsrMhCM+CKWIdJAN+qTqhZ3tdpgzkYgCyZAAJf
D2aBPnDrnMLHTulVBzblwAZwqMnQrMZ5cfF1/24Ck7Kes6GIYlXxasXQkovKpK3q
xau00wivL+/fzM3bAAIl0Lk8HNcNvcv7NoDXNM7OG8HAOtC+AkLM8uDslWhipTDh
yZeeINcljIbY7M0D9W2PLp94JsmbZMmmTLeqmohpjC2Gs/HT3q2YCUBnMT6wXFlv
qVR68dOTjP/DP2te9T0HaPzSh31dBn6YcPJmWx3UI6dvuh3RQ2aiXGSqv3Tyd822
SUWhluWYCHLIDLjrNA7nHgKl8OXt0/qNtzkYpwckj4Rhkw8dqHbGomG6SRXEZnrc
bB2Ccqp5iLpSaQlmZ8VBlr2xP80qHbDPk6Uy8ucKR2pbNROanrbCxa+tRRQbGSCb
wHRZWfArjggC0sW/B45UcKF3B40z4slTg4kVL3thj43ZLnpBGHBSv9R5pL1AnSR6
ZwzngOkm28NhKuTee1AuLd7d9fnZv2fX+gpHT96RGaVCQhcvP9UFhQlHX4yj46d1
G4SoVGHsYcErdzSRu6ak
=k0cY
-----END PGP SIGNATURE-----
------------------------------------------------------------
------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Gaétan QUENTIN
Loading...