| 1 |
Hello list, |
| 2 |
|
| 3 |
I've recently installed a new ADSL modem, and now I'm trying to get it to log |
| 4 |
to my LAN server. The modem seems to be sending log messages but Shorewall is |
| 5 |
dropping them at the server. |
| 6 |
|
| 7 |
I have the following: |
| 8 |
|
| 9 |
# grep Syslog /etc/shorewall/rules |
| 10 |
Syslog(ACCEPT) net:192.168.1.1 $FW |
| 11 |
|
| 12 |
192.168.1.1 is the ADSL modem, the syslog-ng client. |
| 13 |
|
| 14 |
# cat /usr/share/shorewall/macro.Syslog |
| 15 |
?FORMAT 2 |
| 16 |
PARAM - - udp 514 |
| 17 |
PARAM - - tcp 514 |
| 18 |
<snipped comments> |
| 19 |
|
| 20 |
And yet: |
| 21 |
|
| 22 |
# shorewall show log |
| 23 |
Shorewall 4.6.6.2 Log (/var/log/messages) at serv - Wed 6 May 15:52:43 BST |
| 24 |
2015 |
| 25 |
|
| 26 |
Counters reset Wed 6 May 14:39:52 BST 2015 |
| 27 |
|
| 28 |
May 6 15:34:52 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
| 29 |
LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
| 30 |
DPT=514 LEN=37 |
| 31 |
May 6 15:35:37 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
| 32 |
LEN=121 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
| 33 |
DPT=514 LEN=101 |
| 34 |
May 6 15:36:57 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
| 35 |
LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
| 36 |
DPT=514 LEN=37 |
| 37 |
May 6 15:38:10 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
| 38 |
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
| 39 |
DPT=514 LEN=63 |
| 40 |
May 6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
| 41 |
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
| 42 |
DPT=514 LEN=63 |
| 43 |
May 6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 |
| 44 |
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 |
| 45 |
DPT=514 LEN=63 |
| 46 |
<snipped more similar entries> |
| 47 |
|
| 48 |
Serv is the name of the syslog-ng server. |
| 49 |
|
| 50 |
# grep Shorewall /var/log/messages |
| 51 |
--->8 |
| 52 |
May 6 15:38:11 serv kernel: Shorewall:net-fw:DROP:IN=eth0 OUT= |
| 53 |
MAC=70:71:bc:94:ee:71:bc:ee:7b:61:8b:60:08:00 SRC=192.168.1.1 |
| 54 |
DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP |
| 55 |
SPT=32964 DPT=514 LEN=63 |
| 56 |
--->8 |
| 57 |
|
| 58 |
Ifconfig shows 70:71:bc:94:ee:71 as the MAC address of the server's one |
| 59 |
Ethernet interface. |
| 60 |
|
| 61 |
/etc/shorewall/rules has several more rules, all of which do their jobs, e.g: |
| 62 |
|
| 63 |
Squid(ACCEPT) net:192.168.1.3 $FW |
| 64 |
Squid(ACCEPT) net:192.168.1.6 $FW |
| 65 |
SSH(ACCEPT) net:192.168.1.3 $FW |
| 66 |
SSH(ACCEPT) net:192.168.1.6 $FW |
| 67 |
|
| 68 |
Where's the inconsistency? If the Squid and SSH rules work, why doesn't the |
| 69 |
Syslog rule? |
| 70 |
|
| 71 |
Or are the extra 8 bytes in the MAC address the problem? Of course I can't |
| 72 |
change the format of the modem's output, so in that case I'll need to tell |
| 73 |
Shorewall to ignore them - is that possible? |
| 74 |
|
| 75 |
Can someone shed some light on this, please? |
| 76 |
|
| 77 |
-- |
| 78 |
Rgds |
| 79 |
Peter |
Archives