Re: [Shorewall-users] Problem with Fedora 17 and comments / log commands with --log-prefix modifier

Sun, 17 Jun 2012 18:04:14 -0700 

Greetings

Comment and log commands with -log-prefix modifier  seem to be generating 
actual loaded rules that are incorrect in newly created and upgraded Fedora 17 
systems. I think it might have something to do with the way the double quote is 
being interpreted, as that seems to be common between the two issues, and if I 
take a single rule in the compiled output file and modify out (delete) the 
double quotes and then start that compiled file, it creates the rule correctly. 
This only works on comments  and log commands with no spaces.

I am not getting any errors during compile or load, and all the 
rules/functionality of the firewall seems to be intact. The only noticeable 
issue is logging output has an incorrect prefix.

It doesn't seem to be an iptables issue, as I can take a compiled line as-is 
and run it in using iptables command directly, and it loads fine.

Steps to reproduce:

Minimal install of Fedora 17, single interface Get all yum updates Use yum to 
install shorewall-core, shorewall (v4.5.4), and all dependencies -but I tested 
with 4.5.5.1 and found same results Stop and disable iptables Configure 
shorewall (config files attached in config.zip) Shorewall start Shorewall show 
(output is shorewall.show.1) (attached)


Some sample problematic lines:

    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
         LOG flags 0 level 6 prefix "--log-prefix"
    0     0 reject     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
         multiport dports 135,139,445 /* --c */
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
         udp dpt:1900 /* --co */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0   
         icmptype 11 /* --comment */


If it might be helpful, I also ran the command shorewall compile 
firewall.compiled (attached)

And to wrap it up, have included the output from shorewall dump > shorewall.dump

Any thoughts would be appreciated.


Thank you


-Don


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to