Tom Eastep wrote:
> At a high level, the failing rule parses to: > > -A logdrop > --match limit --limit 5/minute --limit-burst 3 <=================== > -j LOG --log-level info --log-prefix Shorewall:logdrop:DROP: > > Shorewall creates 'logdrop' so we can assume it is there. > > You have verified that the LOG target is supported. > > That leaves the match marked with <====== which requires limit match. See > http://www.shorewall.net/kernel.htm to figure out which config option that > is and on which kernels. Actually, I did look there. The issue is that on a general purpose kernel (as at that link) every one of the CONFIG_NETFILTER_XT_MATCH_* modules is set to "m". The system in question runs off of a 500Mb flash drive, space is tight (the system disk is at 87% as is), so the vendor ships as few modules as possible for the kernel. At present it has only 4, out of 17, of these modules. I'm looking for the minimum number of modules to keep shorewall happy, when it is configured to block a few port/address combinations on the public interface. Log limits aren't something we'd want to do without though, since that could result in the syslogd on the system handling logging for this box getting swamped with messages. Conversely, completely eliminating log messages would mean flying blind, which isn't great either. Hopefully adding CONFIG_NETFILTER_XT_MATCH_LIMIT=m will be enough. Thanks, David Mathog [EMAIL PROTECTED] Manager, Sequence Analysis Facility, Biology Division, Caltech ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
