On 10/31/2013 8:56 AM, Sassy Natan wrote: > Hi Group, > > Congratulation about shorewall.org <http://shorewall.org> ! > No question shorewall is the best tool I know for playing with iptables > rules!
Thanks
>
> Second I wonder if any one can help me with the following:
>
> 1. I'm trying to configure a rule with the NFLOG option.
> I manage to make it work with ULOG withouy any problem, but making it
> with NFLOG doesn't seems to work :-(
'It doesn't work' isn't very helpful. Does Shorewall complain about the
rule or are you just not getting any packets logged. Based on your next
question, I assume the latter.
> My question is if the netfilter userspace log daemon (ULOG) knows how to
> capture NFLOG msg.
> At the moment I'm using ULOG version 1.X.
> Is this only supported via ULOG version 2.0?
NFLOG is only supportede with ULOG 2.
>
> I'm using ulog version 1 cause this is the native version my CentOS
> machine support, and install it from source requires me to update a lot
> of packages with I want to avoid.
>
> 2. What is the true different between ULOG to NFLOG?
>
NFLOG has replaced ULOG. ULOG only works with IPv4; NFLOG works with
both IPv4 and IPv6.
From iptables-extensions(8)
NFLOG
This target provides logging of matching packets. When this
target is set for a rule, the Linux kernel will pass the packet to the
loaded logging backend to log the packet. This is usually used in
combination with nfnetlink_log as logging backend, which will multicast
the packet through a netlink socket to the specified multicast
group. One or more userspace processes may subscribe to the group to
receive the packets. Like LOG, this is a non-terminating target, i.e.
rule traversal continues at the next rule.
--nflog-group nlgroup
The netlink group (0 - 2^16-1) to which packets are (only
applicable for nfnetlink_log). The default value is 0.
--nflog-prefix prefix
A prefix string to include in the log message, up to 64
characters long, useful for distinguishing messages in the logs.
--nflog-range size
The number of bytes to be copied to userspace (only
applicable for nfnetlink_log). nfnetlink_log instances may specify their
own range, this option overrides it.
--nflog-threshold size
Number of packets to queue inside the kernel before
sending them to userspace (only applicable for nfnetlink_log). Higher
values result in less overhead per packet, but increase delay until the
packets reach userspace. The default value is 1.
ULOG (IPv4-specific)
This target provides userspace logging of matching packets.
When this target is set for a rule, the Linux kernel will multicast this
packet through a netlink socket. One or more userspace processes may
then subscribe to various multicast groups and receive the packets.
Like LOG, this is a "non-terminating target", i.e. rule traversal
continues at the next rule.
--ulog-nlgroup nlgroup
This specifies the netlink group (1-32) to which the
packet is sent. Default value is 1.
--ulog-prefix prefix
Prefix log messages with the specified prefix; up to 32
characters long, and useful for distinguishing messages in the logs.
--ulog-cprange size
Number of bytes to be copied to userspace. A value of 0
always copies the entire packet, regardless of its size. Default is 0.
--ulog-qthreshold size
Number of packet to queue inside kernel. Setting this
value to, e.g. 10 accumulates ten packets inside the kernel and
transmits them as one netlink multipart message to userspace. Default
is 1 (for backwards compatibility).
> 3. I'm not sure I got it right from the documentation
> at http://www.shorewall.net/shorewall_logging.html
>
> Where I configure the shorewall LEVEL?
> It says is has the following:
>
> *debug,info,error, etc....*
>
> but I don't see where to change it under the shorewall configuration
You need to keep reading in that section. There are many settings in
shorewall.conf that accept a log level, and rules in may files also
allow a log level.
>
> 4. A rule like this
> ACCEPT:info(tcp_options,ip_options,macdecode,tcp_sequence) fw
> all all
>
> Doesn't seems to work.
> I'm getting Invalid log level
> (info(tcp_options,ip_options,macdecode,tcp_sequence)
>
> Why? any idea?
When you ask for help, it is important to tell us which Shorewall
version you are running (see the output of 'shorewall version'). Your
version may be too old.
>
> 5. Under ULOG, u have the option to configure nlgroup. the default is 1,
> but say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save
> logs to file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done?
> is this mean I need run 3 different ULOG process?
> I didn't manage to find how to do it in ulog.conf
I believe that with ulogd 1, you need to run separate daemons. In
version 2, you can configure multiple sources.
Disclaimer -- I wrote Shorewall, not ulogd :-)
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
