Re: [Shorewall-users] Logging documentation
On 10/26/2016 11:10 AM, Bill Shirley wrote: > Like the attached file? > Perfect! Thanks, -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ signature.asc Description: OpenPGP digital signature -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Logging documentation
Like the attached file? Bill On 10/25/2016 2:24 PM, Tom Eastep wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/25/2016 10:33 AM, Tom Eastep wrote: On 10/23/2016 06:41 AM, Bill Shirley wrote: Thanks Bill -- I'll get something into 5.0.14. Although it sure would be nice to have all of your examples in a text attachment rather than in the HTML body of the email where all of the line breaks have been stripped out... - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYD6NtAAoJEJbms/JCOk0Qut8P/0NMQ5blcQxWHEeAXotBFWtv TIAL1Rdt7/Q1r+BjhIqfKE3eDFYTgQrcXCwm7dFKN2s5Q6QeMGrmMk9QCL3YyWHA 1pkRmkXBGP9R1Igj/kZUELvXO08VlRjgUJx5o4u6izGI6FLNj5rfc1tEsPIjx/C0 x2KPZTtxVFBY5vHKWCwSHJfZFGAuUQ/oLxSpCCUs27hAleDYFIniANxLQIj+DivE f7Ze+mDPJxiX00bBwvdPbjh3kq6KZ21UrVnftnvCZX9sfeC1qx1VMSlTTTWq4Fnd 4ALhFIkmQIv0yTHMPN+6k2DrQFHN/GaqHJHD3EPR22nwooZ2i7TUkQo/vYk8Ip/G rT/iy1vV8gD00iWfaiWHkuPfENOKC3fEYXJ4NOc1/rmooJGLyif4i7XOAov34CaO SjjeTvHEAP+zxfCl+j1X4JO8DjvrXrRzcUuTqRknp6FWTzWeW+46nZsRJHF6lN1W oQeBt3WioFcBZo9Ds2puwW7ddNKqgyIqpGlYBQzGv49HapD0nnZ7eOF8CBHcDCSd 5BBp5xzaOQaORrvADVhXNMajzTQpd4IsPNq/BU5PKVuazIYS8T72JYhLcrDrtuMN 3jX98MGMHaPBI6eVIHcfnBsk0qmY+24yVfTgkI24WdVUPLY4VjTjIHvh2196H6Dw WpNqeZJr4QEHY4kxN225 =lftb -END PGP SIGNATURE- -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users I was thinking you might want an example in the logging documentation of using a comma after the log TAG: /etc/shorewall/rules (hen is a local zone): REJECT(icmp-proto-unreachable):notice:IPv6 hen inet41 # who's using IPv6 tunneling REJECT(icmp-proto-unreachable):notice:IPv6,tunneling hen inet 41 # who's using IPv6 tunneling The first REJECT produces: prefix "Shorewall:IPv6:REJECT(icmp-p " and the second: prefix "Shorewall:IPv6:tunneling:" Also, the first rule generates a warning: Compiling /etc/shorewall/rules... WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p " /etc/shorewall/rules (line 212) I use LOGTAGONLY=Yes. As a side note, I recommend blocking all tunneling because it bypasses the firewall rules: ?COMMENT tunneling REJECT(icmp-proto-unreachable):notice:IPv6,tunneling hen inet 41 # who's using IPv6 tunneling REJECT(icmp-port-unreachable) hen inettcp,udp teredo REJECT(icmp-port-unreachable) hen inettcp,udp isakmp,ipsec-nat-t Here is an example of logging traffic only once: /etc/shorewall/init: ipset -exist create IPv4 hash:ip timeout 86400 ipset -exist create IPv4-port hash:ip,port timeout 14400 /etc/shorewall/rules (at the top): ?SECTION NEW # -- ?COMMENT drop previously flagged DROPinet:+IPv4[src] fw DROPinet:+IPv4-port[src,dst]fw ?COMMENT # -- ?COMMENT drop Russian Federation ADD(+IPv4:src):info:IPv4,Russia inet:^[RU] fw ?COMMENT drop Taiwan email ADD(+IPv4-port:src,dst):info:IPv4-port,Taiwan inet:^[TW] fw tcp smtp,smtps,submission # -- ?COMMENT drop newly flagged DROPinet:+IPv4-port[src,dst]fw DROPinet:+IPv4[src] fw The first ADD drops everything from an IP address and the second drops an IP address/port combination. After all the rules have been checked, at the bottom of /etc/shorewall/rules: # = # === H@ck0rz = # = ?COMMENT dont whack myself REJECT:notice inet:$ME_NET fw ?COMMENT not public ADD(+IPv4-port:src,dst) inetfw tcp,udp domain ADD(+IPv4-port:src,dst) inetfw tcp ldap,ldaps ADD(+IPv4-port:src,dst) inetfw tcp,udp ipp ?COMMENT H@ck0rz ADD(+IPv4:src) inetfw tcp ssh ADD(+IPv4:src) inetfw tcp ftp,ftps,sftp,telnet,telnets,exec,login,shell,sunrpc ADD(+IPv4:src) inetfw tcp,udp ms-sql-s,ms-sql-m ?COMMENT drop if added DROP:info:BAN,IPv4 inet:+IPv4[src] fw DROP:info:BAN,IPv4-port inet:+IPv4-port[src,dst]fw One final note:
Re: [Shorewall-users] Cinnamon desktop someties failing to start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/26/2016 07:13 AM, Philip Le Riche wrote: > I'm running Shorewall (latest version downloaded a couple of months > ago) on Linux Mint Cinnamon. The GUI login screen always comes up > on boot, but after logging in, maybe once in half a dozen goes, I > get a message that Cinnamon has crashed and it enters a Fallback > Mode. I mentioned it a while back and was recommended to do > shorewall dump and to grab Xorg.0.log, which was tricky at the time > since Fallback Mode, incredibly, doesn't seem to offer a shell! > > I managed to get a shell this morning and did just that. Shorewall > dump said /var/log/messages didn't exist (which I confirmed) and > Xorg.0.log is appended, though it shows nothing untoward that I can > see. So set LOGFILE in shorewall.conf to point to the log where Shorewall messages are being sent. > > My hunch is that the Cinnamon desktop is trying to use something > that Shorewall hasn't quite finished twiddling with. The > variability would certainly suggest a timing problem. However, it > may be nothing to do with Shorewall, but if smeone could cast an > eye over the log I'd be grateful. > Unfortunately, the X log didn't show anything out of the ordinary that I could see. - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYEM1+AAoJEJbms/JCOk0QQLsQALdRuVIkXXwTC+tgZCJQsbft mAYDjEly+hXcUED8dZM2IhMN7ZYzlo9l0FvXRAmD/t4GtL0/uxVy/flcaaiCvkoh CVci1gINqF/WcYmq8vtRVf9H9ZSWfY/1ri/DZIZceqEaj2NQ7piWkPAF2hoP9Izu hNh2YasboUbBhQPNTC/DGNhQyyPtZi62TBjOI1TNzs4M/bQ9Cy0DLnimZ8BrI5kL Q73iYreeWFF8MWT7kBxqtq4J969o0HF+TCuV7cB2i0uq58y/cHOnBOR7ypM4urAH mWRZm19n7aZiaEswE6xJ62hAtlbk/zc+jPuptJ27qcQwkrhpGZUHGUJ30dKgHJL0 3PSNTh/7FKpux8lNgOA0zKFEqBXZAldVY7V5U6ByZ5+xJcCbv/h5tP6mji9/YfCf o7/6e3+/p6tpyP9IG+Rbc8dcwreltzJuNSnx8fP85SjEelLOBOzMKJCR+NOWL4+U Et0u673snnWMa0NdOkJGWi2QtgQo4qXobO+PomYnlQhckL+V4qRlqLn0B8bZ+YnB Qy1glQ8u9FCed8msGo13/UWJumVijQPLbll4QlrODDfjT1ib2wOgU8wcbMhv/lem mL7PsT9ys0UswrgGcu+GAmTHXYw5rPENtqzkrKtbTLAvOcgNw2jTP8wbKbRH8Bad mu5X2h3+vuJWczGOORsc =zp0p -END PGP SIGNATURE- -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Shorewall 5.0.14 Beta 1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shorewall 5.0.14 Beta 1 is now available for testing. Problems Corrected: 1) This release includes defect repair up through Shorewall 5.0.13.4. New Features: 1) /etc/shorewall[6]/masq has been superseded by /etc/shorewall[6]/snat. The new 'snat' file is similar to most of the other configuration files in that the first column specifies the ACTION to be performed, the second contains the SOURCE and so on. The 'shorewall[6] update' command will convert an existing masq file into the equivalent 'snat' file and will rename masq to masq.bak. See shorewall[6]-snat(5) for details. 2) Actions (both inline and regular) are now supported out of the new snat file. Like other actions, these 'SNAT actions' must be declared in the /etc/shorewall[6]/actions file where the new 'nat' option must be specified. Like other actions, the action rules are placed in a file named action.. Those rules have the same format as those in the snat file with two restrictions: 1. The '+' is not allowed in the ACTION column to specify that the rules should be applied before one-to-one NAT. It must rather be specified when the action is invoked. 2. Interface names are not permitted in the DEST column, so all of the rules apply to the interface(es) specified when the action was invoked. See http://www.shorewall.org/Actions.html#idp66163888 for additional information. Thank you for testing, - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYEMzkAAoJEJbms/JCOk0Qz2sP/1bBMZL20giGJpgTisVt/Kx9 5EZT/DJ2xsf31G/bo7dMO/Odqxgy8I2toM3HgxkmC8Xcrr6v9HdHeRxxxk5Q+9bw Zmsca0RwQfaNHR2VZPxNx6VOMuBtyvnJ0eLn9ce2/G9sJ5n1bQoR+lUb+ysrEaY6 zJxu5jA08oQ+1e+vRN6oI0e1J6NPBgptzYhI9dMoJxN+nbOI+lCm2APAIGRzbmqP BjabQPTeKrGJkBrgIYarxh5cckkQfUEM70dlGQWk6A6BdX7smtk9bkymy8dE7TlZ H6sYDjPPOeVKiPQVm4hdRrUwyLqcFEFnpIFWYWadG5EkbSzKm+p0J5IyM6mu5hSc msA3LGNs/uX7bBPfqcqegyQhgaTN8m/x5WgtuY1NRP7c7mmIFbPbRzvpGkP/ekh8 SritUdYrhlOb+VcCtYa0W5AKWHOyZS0v5H+HwdUPQcR0OwsT0U0Mhe33eR90GxXZ 6mz71347fbEm6E9WfEIAxm4NJ0wBPGALzH5444w4iLbzPQh/83+mIIqoXH71PLRB NIbhSseuPuw9tpdlLgSUstJX8O0MG3/ji8+bCciqCbeR18gHzQPzEbCe8BZXzNWk hvyFleaNE/3j3Zt0nMSCbvZXPLmnC65NVyq2CADQTS+CZPzktFn6XBFbDKu38v77 4rNglcaGt+SfpL5g8EVy =7Vtr -END PGP SIGNATURE- -- The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Cinnamon desktop someties failing to start
I'm running Shorewall (latest version downloaded a couple of months ago) on Linux Mint Cinnamon. The GUI login screen always comes up on boot, but after logging in, maybe once in half a dozen goes, I get a message that Cinnamon has crashed and it enters a Fallback Mode. I mentioned it a while back and was recommended to do shorewall dump and to grab Xorg.0.log, which was tricky at the time since Fallback Mode, incredibly, doesn't seem to offer a shell! I managed to get a shell this morning and did just that. Shorewall dump said /var/log/messages didn't exist (which I confirmed) and Xorg.0.log is appended, though it shows nothing untoward that I can see. My hunch is that the Cinnamon desktop is trying to use something that Shorewall hasn't quite finished twiddling with. The variability would certainly suggest a timing problem. However, it may be nothing to do with Shorewall, but if smeone could cast an eye over the log I'd be grateful. Regards - Philip [20.577] X.Org X Server 1.18.3 Release Date: 2016-04-04 [20.577] X Protocol Version 11, Revision 0 [20.577] Build Operating System: Linux 3.13.0-85-generic i686 Ubuntu [20.577] Current Operating System: Linux PiWall 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:28 UTC 2016 i686 [20.577] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.4.0-34-generic root=UUID=0954e7e3-891b-4f41-bc4c-4f9603f27c11 ro quiet splash vt.handoff=7 [20.577] Build Date: 07 April 2016 09:18:48AM [20.577] xorg-server 2:1.18.3-1ubuntu2 (For technical support please see http://www.ubuntu.com/support) [20.577] Current version of pixman: 0.33.6 [20.577] Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [20.577] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [20.577] (==) Log file: "/var/log/Xorg.0.log", Time: Wed Oct 26 11:42:32 2016 [20.578] (==) Using system config directory "/usr/share/X11/xorg.conf.d" [20.578] (==) No Layout section. Using the first Screen section. [20.578] (==) No screen section available. Using defaults. [20.578] (**) |-->Screen "Default Screen Section" (0) [20.578] (**) | |-->Monitor "" [20.588] (==) No monitor specified for screen "Default Screen Section". Using a default monitor configuration. [20.588] (==) Automatically adding devices [20.588] (==) Automatically enabling devices [20.588] (==) Automatically adding GPU devices [20.588] (==) Max clients allowed: 256, resource mask: 0x1f [20.588] (WW) The directory "/usr/share/fonts/X11/cyrillic" does not exist. [20.588] Entry deleted from font path. [20.588] (WW) The directory "/usr/share/fonts/X11/100dpi/" does not exist. [20.588] Entry deleted from font path. [20.588] (WW) The directory "/usr/share/fonts/X11/75dpi/" does not exist. [20.588] Entry deleted from font path. [20.588] (WW) The directory "/usr/share/fonts/X11/100dpi" does not exist. [20.588] Entry deleted from font path. [20.588] (WW) The directory "/usr/share/fonts/X11/75dpi" does not exist. [20.588] Entry deleted from font path. [20.588] (==) FontPath set to: /usr/share/fonts/X11/misc, /usr/share/fonts/X11/Type1, built-ins [20.588] (==) ModulePath set to "/usr/lib/i386-linux-gnu/xorg/extra-modules,/usr/lib/xorg/extra-modules,/usr/lib/xorg/modules" [20.588] (II) The server relies on udev to provide the list of input devices. If no devices become available, reconfigure udev or disable AutoAddDevices. [20.588] (II) Loader magic: 0x802d8700 [20.588] (II) Module ABI versions: [20.588] X.Org ANSI C Emulation: 0.4 [20.588] X.Org Video Driver: 20.0 [20.588] X.Org XInput driver : 22.1 [20.588] X.Org Server Extension : 9.0 [20.590] (++) using VT number 8 [20.590] (II) systemd-logind: logind integration requires -keeptty and -keeptty was not provided, disabling logind integration [20.590] (II) xfree86: Adding drm device (/dev/dri/card0) [20.593] (--) PCI:*(0:0:2:0) 8086:0102:8086:200a rev 9, Mem @ 0xfe00/4194304, 0xd000/268435456, I/O @ 0xf000/64 [20.594] (II) LoadModule: "glx" [20.594] (II) Loading /usr/lib/xorg/modules/extensions/libglx.so [20.611] (II) Module glx: vendor="X.Org Foundation" [20.611] compiled for 1.18.3, module version = 1.0.0 [20.611] ABI class: X.Org Server Extension, version 9.0 [20.611] (==) AIGLX enabled [20.611] (==) Matched intel as autoconfigured driver 0 [20.611] (==) Matched intel as autoconfigured driver 1 [20.611] (==) Matched modesetting as autoconfigured driver 2 [20.611] (==) Matched fbdev as autoconfigured driver 3 [20.611] (==) Matched vesa as autoconfigured driver 4 [20.611] (==) Assigned the driver to the xf86ConfigLayo
[Shorewall-users] Cinnamon desktop someties failing to start
I'm running Shorewall (latest version downloaded a couple of months ago) on Linux Mint Cinnamon. The GUI login screen always comes up on boot, but after logging in, maybe once in half a dozen goes, I get a message that Cinnamon has crashed and it enters a Fallback Mode. I mentioned it a while back and was recommended to do shorewall dump and to grab Xorg.0.log, which was tricky at the time since Fallback Mode, incredibly, doesn't seem to offer a shell! I managed to get a shell this morning and did just that. Shorewall dump said /var/log/messages didn't exist (which I confirmed) and Xorg.0.log is appended, though it shows nothing untoward that I can see. My hunch is that the Cinnamon desktop is trying to use something that Shorewall hasn't quite finished twiddling with. The variability would certainly suggest a timing problem. However, it may be nothing to do with Shorewall, but if smeone could cast an eye over the log I'd be grateful. Regards - Philip [20.577] X.Org X Server 1.18.3 Release Date: 2016-04-04 [20.577] X Protocol Version 11, Revision 0 [20.577] Build Operating System: Linux 3.13.0-85-generic i686 Ubuntu [20.577] Current Operating System: Linux PiWall 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:28 UTC 2016 i686 [20.577] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.4.0-34-generic root=UUID=0954e7e3-891b-4f41-bc4c-4f9603f27c11 ro quiet splash vt.handoff=7 [20.577] Build Date: 07 April 2016 09:18:48AM [20.577] xorg-server 2:1.18.3-1ubuntu2 (For technical support please see http://www.ubuntu.com/support) [20.577] Current version of pixman: 0.33.6 [20.577] Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. [20.577] Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [20.577] (==) Log file: "/var/log/Xorg.0.log", Time: Wed Oct 26 11:42:32 2016 [20.578] (==) Using system config directory "/usr/share/X11/xorg.conf.d" [20.578] (==) No Layout section. Using the first Screen section. [20.578] (==) No screen section available. Using defaults. [20.578] (**) |-->Screen "Default Screen Section" (0) [20.578] (**) | |-->Monitor "" [20.588] (==) No monitor specified for screen "Default Screen Section". Using a default monitor configuration. [20.588] (==) Automatically adding devices [20.588] (==) Automatically enabling devices [20.588] (==) Automatically adding GPU devices [20.588] (==) Max clients allowed: 256, resource mask: 0x1f [20.588] (WW) The directory "/usr/share/fonts/X11/cyrillic" does not exist. [20.588] Entry deleted from font path. [20.588] (WW) The directory "/usr/share/fonts/X11/100dpi/" does not exist. [20.588] Entry deleted from font path. [20.588] (WW) The directory "/usr/share/fonts/X11/75dpi/" does not exist. [20.588] Entry deleted from font path. [20.588] (WW) The directory "/usr/share/fonts/X11/100dpi" does not exist. [20.588] Entry deleted from font path. [20.588] (WW) The directory "/usr/share/fonts/X11/75dpi" does not exist. [20.588] Entry deleted from font path. [20.588] (==) FontPath set to: /usr/share/fonts/X11/misc, /usr/share/fonts/X11/Type1, built-ins [20.588] (==) ModulePath set to "/usr/lib/i386-linux-gnu/xorg/extra-modules,/usr/lib/xorg/extra-modules,/usr/lib/xorg/modules" [20.588] (II) The server relies on udev to provide the list of input devices. If no devices become available, reconfigure udev or disable AutoAddDevices. [20.588] (II) Loader magic: 0x802d8700 [20.588] (II) Module ABI versions: [20.588] X.Org ANSI C Emulation: 0.4 [20.588] X.Org Video Driver: 20.0 [20.588] X.Org XInput driver : 22.1 [20.588] X.Org Server Extension : 9.0 [20.590] (++) using VT number 8 [20.590] (II) systemd-logind: logind integration requires -keeptty and -keeptty was not provided, disabling logind integration [20.590] (II) xfree86: Adding drm device (/dev/dri/card0) [20.593] (--) PCI:*(0:0:2:0) 8086:0102:8086:200a rev 9, Mem @ 0xfe00/4194304, 0xd000/268435456, I/O @ 0xf000/64 [20.594] (II) LoadModule: "glx" [20.594] (II) Loading /usr/lib/xorg/modules/extensions/libglx.so [20.611] (II) Module glx: vendor="X.Org Foundation" [20.611] compiled for 1.18.3, module version = 1.0.0 [20.611] ABI class: X.Org Server Extension, version 9.0 [20.611] (==) AIGLX enabled [20.611] (==) Matched intel as autoconfigured driver 0 [20.611] (==) Matched intel as autoconfigured driver 1 [20.611] (==) Matched modesetting as autoconfigured driver 2 [20.611] (==) Matched fbdev as autoconfigured driver 3 [20.611] (==) Matched vesa as autoconfigured driver 4 [20.611] (==) Assigned the driver to the xf86ConfigLayo
