1 |
Hello list, |
2 |
|
3 |
I've recently installed a new ADSL modem, and now I'm trying to get it to log |
4 |
to my LAN server. The modem seems to be sending log messages but Shorewall is |
5 |
dropping them at the server. |
6 |
|
7 |
I have the following: |
8 |
|
9 |
# grep Syslog /etc/shorewall/rules |
10 |
Syslog(ACCEPT) net:192.168.1.1 $FW |
11 |
|
12 |
192.168.1.1 is the ADSL modem, the syslog-ng client. |
13 |
|
14 |
# cat /usr/share/shorewall/macro.Syslog |
15 |
?FORMAT 2 |
16 |
PARAM - - udp 514 |
17 |
PARAM - - tcp 514 |
18 |
<snipped comments> |
19 |
|
20 |
And yet: |
21 |
|
22 |
# shorewall show log |
23 |
Shorewall 4.6.6.2 Log (/var/log/messages) at serv - Wed 6 May 15:52:43 BST |
24 |
2015 |
25 |
|
26 |
Counters reset Wed 6 May 14:39:52 BST 2015 |
27 |
|
28 |
May 6 15:34:52 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
29 |
LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
30 |
DPT=514 LEN=37 |
31 |
May 6 15:35:37 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
32 |
LEN=121 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
33 |
DPT=514 LEN=101 |
34 |
May 6 15:36:57 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
35 |
LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
36 |
DPT=514 LEN=37 |
37 |
May 6 15:38:10 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
38 |
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
39 |
DPT=514 LEN=63 |
40 |
May 6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
41 |
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
42 |
DPT=514 LEN=63 |
43 |
May 6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
44 |
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
45 |
DPT=514 LEN=63 |
46 |
<snipped more similar entries> |
47 |
|
48 |
Serv is the name of the syslog-ng server. |
49 |
|
50 |
# grep Shorewall /var/log/messages |
51 |
--->8 |
52 |
May 6 15:38:11 serv kernel: Shorewall:net-fw:DROP:IN=eth0 OUT= |
53 |
MAC=70:71:bc:94:ee:71:bc:ee:7b:61:8b:60:08:00 SRC=192.168.1.1 |
54 |
DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP |
55 |
SPT=32964 DPT=514 LEN=63 |
56 |
--->8 |
57 |
|
58 |
Ifconfig shows 70:71:bc:94:ee:71 as the MAC address of the server's one |
59 |
Ethernet interface. |
60 |
|
61 |
/etc/shorewall/rules has several more rules, all of which do their jobs, e.g: |
62 |
|
63 |
Squid(ACCEPT) net:192.168.1.3 $FW |
64 |
Squid(ACCEPT) net:192.168.1.6 $FW |
65 |
SSH(ACCEPT) net:192.168.1.3 $FW |
66 |
SSH(ACCEPT) net:192.168.1.6 $FW |
67 |
|
68 |
Where's the inconsistency? If the Squid and SSH rules work, why doesn't the |
69 |
Syslog rule? |
70 |
|
71 |
Or are the extra 8 bytes in the MAC address the problem? Of course I can't |
72 |
change the format of the modem's output, so in that case I'll need to tell |
73 |
Shorewall to ignore them - is that possible? |
74 |
|
75 |
Can someone shed some light on this, please? |
76 |
|
77 |
-- |
78 |
Rgds |
79 |
Peter |