On 1/30/2014 1:15 PM, Tom Eastep wrote: > On 1/29/2014 5:58 AM, Bill Shirley wrote: >> Just wanted to report a bug in Shorewall. I've looked for a Shorewall >> bugzilla but couldn't find one. >> >> I just discovered that using an ADD rule with logging, Shorewall uses a >> '- g' instead of a '-j' for the target in iptables. This makes a new >> connection hit my 'all all REJECT notice' instead of my 'inet all DROP >> info'. Also, no other rule following the ADD with logging will be used. >> >> [0:root@apinetstore shorewall]$ rpm -qa | grep -i shorewall >> shorewall-core-4.5.15-1.fc19.noarch >> shorewall-4.5.15-1.fc19.noarch >> >> >> /etc/shorewall/rules: >> ?COMMENT timeout port scanners >> ADD(+IpOneDay:src) inet fw tcp 22 # uses -j >> ADD(+IpOneDay:src):notice inet fw udp 80,443 # no >> such udp service: uses -g >> ADD(+IpOneDay:src):notice inet fw tcp 8443 >> >> >> /etc/shorewall/policy: >> #------------------------------------------------------------------------------- >> #inet all REJECT info >> inet all DROP info >> >> >> #------------------------------------------------------------------------------- >> # >> # THE FOLLOWING POLICY MUST BE LAST >> # >> #------------------------------------------------------------------------------- >> all all REJECT notice >> #all all DROP notice >> >> >> /var/lib/shorewall/.restart: >> -A inet-fw -p 6 --dport 22 -j SET --add-set IpOneDay src -m comment >> --comment "timeout port scanners" >> -A inet-fw -p 17 -m multiport --dports 80,443 -g ~log4 -m comment >> --comment "timeout port scanners" >> -A inet-fw -p 6 --dport 8443 -g ~log4 -m comment --comment "timeout port >> scanners" >> -A inet-fw -p 17 --dport 1063:1067 -g ~log3 -m comment --comment >> "timeout port scanners" >> -A inet-fw -j Drop >> >> >> iptables -nvL: >> Chain ~log4 (2 references) >> pkts bytes target prot opt in out source destination >> 0 0 LOG all -- * * 0.0.0.0/0 >> 0.0.0.0/0 limit: up to 3/min burst 2 mode srcip /* timeout >> port scanners */ LOG flags 0 level 5 prefix "Shorewall:inet-fw:ADD(+IpOne " >> 0 0 SET all -- * * 0.0.0.0/0 >> 0.0.0.0/0 /* timeout port scanners */ add-set IpOneDay src >> > > The attached patch seems to correct the problem.
Oops -- I responded to the wrong email from Bill -- this patch actually corrects the problem with 'shorewall add' and 'shorewall delete' when the interface name contains a period (VLAN). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
