On 1/29/2014 5:58 AM, Bill Shirley wrote: > Just wanted to report a bug in Shorewall. I've looked for a Shorewall > bugzilla but couldn't find one. > > I just discovered that using an ADD rule with logging, Shorewall uses a > '- g' instead of a '-j' for the target in iptables. This makes a new > connection hit my 'all all REJECT notice' instead of my 'inet all DROP > info'. Also, no other rule following the ADD with logging will be used. > > [0:root@apinetstore shorewall]$ rpm -qa | grep -i shorewall > shorewall-core-4.5.15-1.fc19.noarch > shorewall-4.5.15-1.fc19.noarch > > > /etc/shorewall/rules: > ?COMMENT timeout port scanners > ADD(+IpOneDay:src) inet fw tcp 22 # uses -j > ADD(+IpOneDay:src):notice inet fw udp 80,443 # no > such udp service: uses -g > ADD(+IpOneDay:src):notice inet fw tcp 8443 > > > /etc/shorewall/policy: > #------------------------------------------------------------------------------- > #inet all REJECT info > inet all DROP info > > > #------------------------------------------------------------------------------- > # > # THE FOLLOWING POLICY MUST BE LAST > # > #------------------------------------------------------------------------------- > all all REJECT notice > #all all DROP notice > > > /var/lib/shorewall/.restart: > -A inet-fw -p 6 --dport 22 -j SET --add-set IpOneDay src -m comment > --comment "timeout port scanners" > -A inet-fw -p 17 -m multiport --dports 80,443 -g ~log4 -m comment > --comment "timeout port scanners" > -A inet-fw -p 6 --dport 8443 -g ~log4 -m comment --comment "timeout port > scanners" > -A inet-fw -p 17 --dport 1063:1067 -g ~log3 -m comment --comment > "timeout port scanners" > -A inet-fw -j Drop > > > iptables -nvL: > Chain ~log4 (2 references) > pkts bytes target prot opt in out source destination > 0 0 LOG all -- * * 0.0.0.0/0 > 0.0.0.0/0 limit: up to 3/min burst 2 mode srcip /* timeout > port scanners */ LOG flags 0 level 5 prefix "Shorewall:inet-fw:ADD(+IpOne " > 0 0 SET all -- * * 0.0.0.0/0 > 0.0.0.0/0 /* timeout port scanners */ add-set IpOneDay src >
The attached patch seems to correct the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index c373704..8cf19ed 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1896,6 +1896,8 @@ add_command() {
ipset=6_${zone}_${interface};
fi
+ ipset=$(echo $ipset | sed 's/./_/g');
+
if ! qt $IPSET -L $ipset; then
fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
fi
@@ -1984,6 +1986,8 @@ delete_command() {
ipset=6_${zone}_${interface};
fi
+ ipset=$(echo $ipset | sed 's/./_/g');
+
if ! qt $IPSET -L $ipset -n; then
fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
fi
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
