At 10/31/2013 08:56 AM, you wrote:
Congratulation about shorewall.org
No question shorewall is the best tool I know for playing with iptables
Second I wonder if any one can help me with the following:
1. I'm trying to configure a rule with the NFLOG option.
I manage to make it work with ULOG withouy any problem, but making it
with NFLOG doesn't seems to work
My question is if the netfilter userspace log daemon (ULOG) knows how to
capture NFLOG msg.
At the moment I'm using ULOG version 1.X.
Is this only supported via ULOG version 2.0?
I'm using ulog version 1 cause this is the native version my CentOS
machine support, and install it from source requires me to update a lot
of packages with I want to avoid.
2. What is the true different between ULOG to NFLOG?
3. I'm not sure I got it right from the documentation at
Where I configure the shorewall LEVEL?
It says is has the following:
but I don't see where to change it under the shore-wall
4. A rule like this
fw all all
Doesn't seems to work.
I'm getting Invalid log level
Why? any idea?
5. Under ULOG, u have the option to configure nlgroup. the default is 1,
but say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save
logs to file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done?
is this mean I need run 3 different ULOG process?
I didn't manage to find how to do it in ulog.conf
I'm running on Arch Linux, so I may be way out of touch with
systems and the following may not match with your system.
I'm also a somewhat new with shorewall/iptables. I found
#shorewall check -r
to be very helpful when changing the shorewall files.
I believe you need ulogd2 and kernel > 2.6.14 for NFLOG
NFLOG is part of ulogd
ULOG is entering end-of-life. NFLOG requires support to be compiled
into the kernel.
# zcat /proc/config.gz | grep NFLOG
Use NFLOG as your log level, and as with ULOG you can specify the
group NFLOG(1,0,1). NFLOG may default to group 0?
Make sure you have your NFLOG filter stack correct in
See /usr/share/doc/ulogd/ulogd.conf for some example
Example rule I have:
# Drop blacklist ipset and log to ulogd.blacklist
# shorewall normal log packets group 1
# shorewall log blacklist group 4
and add logrotate for the new log.