Re: [Shorewall-users] Shorewall 4.5.15 with ipset ADD and logging

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 1/29/2014 5:58 AM, Bill Shirley wrote:
> Just wanted to report a bug in Shorewall.  I've looked for a Shorewall 
> bugzilla but couldn't find one.
> 
> I just discovered that using an ADD rule with logging, Shorewall uses a 
> '- g' instead of a '-j' for the target in iptables.  This makes a new 
> connection hit my 'all all REJECT notice' instead of my 'inet all DROP 
> info'.  Also, no other rule following the ADD with logging will be used.
> 
> [0:root@apinetstore shorewall]$ rpm -qa | grep -i shorewall
> shorewall-core-4.5.15-1.fc19.noarch
> shorewall-4.5.15-1.fc19.noarch
> 
> 
> /etc/shorewall/rules:
> ?COMMENT timeout port scanners
> ADD(+IpOneDay:src)              inet            fw      tcp 22    # uses -j
> ADD(+IpOneDay:src):notice       inet            fw      udp 80,443  # no 
> such udp service: uses -g
> ADD(+IpOneDay:src):notice       inet            fw      tcp     8443
> 
> 
> /etc/shorewall/policy:
> #-------------------------------------------------------------------------------
> #inet   all     REJECT          info
> inet    all     DROP            info
> 
> 
> #-------------------------------------------------------------------------------
> #
> # THE FOLLOWING POLICY MUST BE LAST
> #
> #-------------------------------------------------------------------------------
> all     all     REJECT          notice
> #all    all     DROP            notice
> 
> 
> /var/lib/shorewall/.restart:
> -A inet-fw -p 6 --dport 22 -j SET --add-set IpOneDay src -m comment 
> --comment "timeout port scanners"
> -A inet-fw -p 17 -m multiport --dports 80,443 -g ~log4 -m comment 
> --comment "timeout port scanners"
> -A inet-fw -p 6 --dport 8443 -g ~log4 -m comment --comment "timeout port 
> scanners"
> -A inet-fw -p 17 --dport 1063:1067 -g ~log3 -m comment --comment 
> "timeout port scanners"
> -A inet-fw -j Drop
> 
> 
> iptables -nvL:
> Chain ~log4 (2 references)
>   pkts bytes target     prot opt in     out     source destination
>      0     0 LOG        all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0            limit: up to 3/min burst 2 mode srcip /* timeout 
> port scanners */ LOG flags 0 level 5 prefix "Shorewall:inet-fw:ADD(+IpOne "
>      0     0 SET        all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0            /* timeout port scanners */ add-set IpOneDay src

The attached patch seems to correct the problem. It will apply with an
offset to your version.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________