On Sun, 2010-10-31 at 15:11 +0100, KP Kirchdoerfer wrote:
> Am Sonntag, 31. Oktober 2010, 13:55:46 schrieb davidMbrooke:
> >
> > - A minor point, but Shorewall startup logs go
> > to /var/log/shorewall.log whereas Shorewall6 startup logs go
> > to /var/log/shorewall6-init.log (so IPv4 Shorewall should
> > use /var/log/shorewall-init.log ?)
>
> That's shurely not intended - but if it gets fixed which way round? Is there
> a
> need for shorewall-init.log? I tend to have only one logfile for shorewall
> (and
> one for shorewall6 of course).
>
> kp
Hi kp,
It seems that "vanilla" Shorewall uses -init.log for both files. We
patch Shorewall's /etc/shorewall.conf using our shorewall-lrp.diff and
change the default for Shorewall (to /var/log/shorewall.log) but not for
Shorewall6.
My general preference is to align with "vanilla" Shorewall. I can see
the value in having separate files for Shorewall's own "init" output
versus iptables' DROP and REJECT message. For example, I like the idea
of generating reports (or even real-time alerts) based on firewall hits,
and that would be easiest if those are in a separate file from the
"init" messages.
Looking around the 'net there does not seem to be too much agreement on
a standard name for the "other" (non-init) logfile. (The vanilla setting
in Shorewall is /var/log/messages and I do not propose to use that.)
Some examples are:
/var/log/shorewall
/var/log/shorewall/warn.log
/var/log/shorewall.log
/var/log/firewall
If anything that last one seems the most popular - standard in SUSE
according to Tom's docs. I'd say either use that or stick
with /var/log/shorewall.log (and presumably /var/log/shorewall6.log) for
consistency with BuC 3.x. Thoughts?
The Shorewall FAQs are helpful as ever and document how to *not* get
iptables log output sent to /dev/console:
http://www.shorewall.net/FAQ.htm#faq16
By the way, I noticed an error:
# shorewall show log
Shorewall 4.4.13.1 Log (/var/log/shorewall.log) at firewall - Sun
Oct 31 16:59:59 BST 2010
Counters reset Sun Oct 31 13:29:29 BST 2010
/sbin/shorewall: line 214: tac: not found
/sbin/shorewall: line 214: tac: not found
We can configure Busybox to include tac. I will do that now.
dMb
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
leaf-devel mailing list
leaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-devel
