From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0DE97138CCC for ; Wed, 6 May 2015 15:20:29 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BE864E0857; Wed, 6 May 2015 15:20:22 +0000 (UTC) Received: from smarthost01c.mail.zen.net.uk (smarthost01c.mail.zen.net.uk [212.23.1.5]) by pigeon.gentoo.org (Postfix) with ESMTP id 9150FE084B for ; Wed, 6 May 2015 15:20:21 +0000 (UTC) Received: from [82.69.80.10] (helo=wstn.localnet) by smarthost01c.mail.zen.net.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from ) id 1Yq17U-0004iv-2w for gentoo-user@lists.gentoo.org; Wed, 06 May 2015 15:20:20 +0000 From: Peter Humphrey To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Shorewall config problem Date: Wed, 06 May 2015 16:20:19 +0100 Message-ID: <6390922.lAtsHpQybt@wstn> Organization: Society for Retired Gentlefolk User-Agent: KMail/4.14.3 (Linux/3.18.11-gentoo; KDE/4.14.3; x86_64; ; ) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="nextPart1762918.dURf47TQ0j" Content-Transfer-Encoding: 7Bit X-Originating-smarthost01c-IP: [82.69.80.10] X-Archives-Salt: c7f4f9a0-f390-4e34-af89-755898f9e67c X-Archives-Hash: 36fca2167aa08d98c9aa5b9d69f772d1 This is a multi-part message in MIME format. --nextPart1762918.dURf47TQ0j Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Hello list, I've recently installed a new ADSL modem, and now I'm trying to get it to log to my LAN server. The modem seems to be sending log messages but Shorewall is dropping them at the server. I have the following: # grep Syslog /etc/shorewall/rules Syslog(ACCEPT) net:192.168.1.1 $FW 192.168.1.1 is the ADSL modem, the syslog-ng client. # cat /usr/share/shorewall/macro.Syslog ?FORMAT 2 PARAM - - udp 514 PARAM - - tcp 514 And yet: # shorewall show log Shorewall 4.6.6.2 Log (/var/log/messages) at serv - Wed 6 May 15:52:43 BST 2015 Counters reset Wed 6 May 14:39:52 BST 2015 May 6 15:34:52 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=37 May 6 15:35:37 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=121 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=101 May 6 15:36:57 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=37 May 6 15:38:10 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=63 May 6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=63 May 6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=63 Serv is the name of the syslog-ng server. # grep Shorewall /var/log/messages --->8 May 6 15:38:11 serv kernel: Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=70:71:bc:94:ee:71:bc:ee:7b:61:8b:60:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=63 --->8 Ifconfig shows 70:71:bc:94:ee:71 as the MAC address of the server's one Ethernet interface. /etc/shorewall/rules has several more rules, all of which do their jobs, e.g: Squid(ACCEPT) net:192.168.1.3 $FW Squid(ACCEPT) net:192.168.1.6 $FW SSH(ACCEPT) net:192.168.1.3 $FW SSH(ACCEPT) net:192.168.1.6 $FW Where's the inconsistency? If the Squid and SSH rules work, why doesn't the Syslog rule? Or are the extra 8 bytes in the MAC address the problem? Of course I can't change the format of the modem's output, so in that case I'll need to tell Shorewall to ignore them - is that possible? Can someone shed some light on this, please? -- Rgds Peter --nextPart1762918.dURf47TQ0j Content-Transfer-Encoding: 7Bit Content-Type: text/html; charset="us-ascii"

Hello list,

 

I've recently installed a new ADSL modem, and now I'm trying to get it to log to my LAN server. The modem seems to be sending log messages but Shorewall is dropping them at the server.

 

I have the following:

 

# grep Syslog /etc/shorewall/rules

Syslog(ACCEPT) net:192.168.1.1 $FW

 

192.168.1.1 is the ADSL modem, the syslog-ng client.

 

# cat /usr/share/shorewall/macro.Syslog

?FORMAT 2

PARAM - - udp 514

PARAM - - tcp 514

<snipped comments>

 

And yet:

 

# shorewall show log

Shorewall 4.6.6.2 Log (/var/log/messages) at serv - Wed 6 May 15:52:43 BST 2015

 

Counters reset Wed 6 May 14:39:52 BST 2015

 

May 6 15:34:52 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=37

May 6 15:35:37 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=121 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=101

May 6 15:36:57 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=37

May 6 15:38:10 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=63

May 6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=63

May 6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=63

<snipped more similar entries>

 

Serv is the name of the syslog-ng server.

 

# grep Shorewall /var/log/messages

--->8

May 6 15:38:11 serv kernel: Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=70:71:bc:94:ee:71:bc:ee:7b:61:8b:60:08:00 SRC=192.168.1.1 DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 DPT=514 LEN=63

--->8

 

Ifconfig shows 70:71:bc:94:ee:71 as the MAC address of the server's one Ethernet interface.

 

/etc/shorewall/rules has several more rules, all of which do their jobs, e.g:

 

Squid(ACCEPT) net:192.168.1.3 $FW

Squid(ACCEPT) net:192.168.1.6 $FW

SSH(ACCEPT) net:192.168.1.3 $FW

SSH(ACCEPT) net:192.168.1.6 $FW

 

Where's the inconsistency? If the Squid and SSH rules work, why doesn't the Syslog rule?

 

Or are the extra 8 bytes in the MAC address the problem? Of course I can't change the format of the modem's output, so in that case I'll need to tell Shorewall to ignore them - is that possible?

 

Can someone shed some light on this, please?

 

--

Rgds

Peter

 

--nextPart1762918.dURf47TQ0j--