Tom Eastep <[EMAIL PROTECTED]> wrote on 12/20/2005 12:48:34 PM:
> On Tuesday 20 December 2005 09:29, Timothy J. Massey wrote:
>
> >
> > It adds 2 more logging lines, but it only affects the logging rules for
> > the 3 ports we're interested in, rather than the 65,000 or so that
we're
> > not. Am I missing something?
>
> Yes -- why in the world would you send traffic for the other 65,000
through
> this action in the first place? The intent of the original code on
the web
> site is that we log accepted SSH traffic with a disposition of ACCEPT
while
> we log the knocks and disables with a disposition of DROP (which is
actually
> what happens). It is assumed that only traffic destined for *those three
> ports* will ever go through the chain.
In other words, these rules only get referenced when packets first match
the ports within the action line in /etc/shorewall/rules, so if the
rules contained within the action script are broader it doesn't matter?
So, given the following lines in /etc/shorewall/rules:
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW udp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178
packets destined to UDP <any port but 1599,1600 or 1601> will never make
it to the logging lines we were talking about in the original e-mail.
Duh. Makes perfect sense. (Did I mention I'm new to actions? :) )
If that is the case, then, I can safely drop the --dport parameter and
have it log all UDP packets that it sees, because it will only ever see
the relevant packets.
Thank you very much for your help!
Tim Massey
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
