diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy index 53e3a26eb..c83a5f60a 100644 --- a/Samples/one-interface/policy +++ b/Samples/one-interface/policy @@ -29,6 +29,12 @@ # log message is generated. See syslog.conf(5) for a # description of log levels. # +# Beginning with Shorewall version 1.3.12, you may +# also specify ULOG (must be in upper case). This will +# log to the ULOG target and sent to a separate log +# through use of ulogd +# q(http://www.gnumonks.org/projects/ulogd). +# # If you don't want to log but need to specify the # following column, place "_" here. # diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf index 42889ed50..4d55ff216 100644 --- a/Samples/one-interface/shorewall.conf +++ b/Samples/one-interface/shorewall.conf @@ -9,6 +9,35 @@ # (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net) ############################################################################## # +# General note about log levels. Log levels are a method of describing +# to syslog (8) the importance of a message and a number of parameters +# in this file have log levels as their value. +# +# Valid levels are: +# +# 7 debug +# 6 info +# 5 notice +# 4 warning +# 3 err +# 2 crit +# 1 alert +# 0 emerg +# +# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall +# log messages are generated by NetFilter and are logged using facility +# 'kern' and the level that you specifify. If you are unsure of the level +# to choose, 6 (info) is a safe bet. You may specify levels by name or by +# number. +# +# If you have build your kernel with ULOG target support, you may also +# specify a log level of ULOG (must be all caps). Rather than log its +# messages to syslogd, Shorewall will direct netfilter to log the messages +# via the ULOG target which will send them to a process called 'ulogd'. +# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be +# configured to log all Shorewall message to their own log file +################################################################################ +# # PATH - Change this if you want to change the order in which Shorewall # searches directories for executable files. # @@ -96,6 +125,8 @@ LOGBURST= # packets are logged under the 'logunclean' interface option. If the variable # is empty, these packets will still be logged at the 'info' level. # +# See the comment at the top of this file for a description of log levels +# LOGUNCLEAN=info @@ -191,6 +222,8 @@ BLACKLIST_DISPOSITION=DROP # (beward of DOS attacks resulting from such logging). If not set, no logging # of blacklist packets occurs. # +# See the comment at the top of this file for a description of log levels +# BLACKLIST_LOGLEVEL= # @@ -353,6 +386,8 @@ MUTEX_TIMEOUT=60 # it will be rejected by the firewall. If you want these rejects logged, # then set LOGNEWNOTSYN to the syslog log level at which you want them logged. # +# See the comment at the top of this file for a description of log levels +# # Example: LOGNEWNOTSYN=debug @@ -400,6 +435,8 @@ MACLIST_DISPOSITION=REJECT # Specifies the logging level for connection requests that fail MAC # verification. If set to the empty value (MACLIST_LOG_LEVEL="") then # such connection requests will not be logged. +# +# See the comment at the top of this file for a description of log levels # MACLIST_LOG_LEVEL=info @@ -420,8 +457,42 @@ TCP_FLAGS_DISPOSITION=DROP # Specifies the logging level for packets that fail TCP Flags # verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then # such packets will not be logged. +# +# See the comment at the top of this file for a description of log levels # TCP_FLAGS_LOG_LEVEL=info +# +# RFC1918 Log Level +# +# Specifies the logging level for packets that fail RFC 1918 +# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then +# RFC1918_LOG_LEVEL=info is assumed. +# +# See the comment at the top of this file for a description of log levels +# + +RFC1918_LOG_LEVEL=info + +# +# Mark Packets in the forward chain +# +# When processing the tcrules file, Shorewall normally marks packets in the +# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set +# this to "Yes". If not specified or if set to the empty value (e.g., +# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. +# +# Marking packets in the FORWARD chain has the advantage that inbound +# packets destined for Masqueraded/SNATed local hosts have had their destination +# address rewritten so they can be marked based on their destination. When +# packets are marked in the PREROUTING chain, packets destined for +# Masqueraded/SNATed local hosts still have a destination address corresponding +# to the firewall's external interface. +# +# Note: Older kernels do not support marking packets in the FORWARD chain and +# setting this variable to Yes may cause startup problems. + +MARK_IN_FORWARD_CHAIN=No + #LAST LINE -- DO NOT REMOVE diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy index de01405cd..0df2208e6 100644 --- a/Samples/two-interfaces/policy +++ b/Samples/two-interfaces/policy @@ -29,6 +29,12 @@ # log message is generated. See syslog.conf(5) for a # description of log levels. # +# Beginning with Shorewall version 1.3.12, you may +# also specify ULOG (must be in upper case). This will +# log to the ULOG target and sent to a separate log +# through use of ulogd +# q(http://www.gnumonks.org/projects/ulogd). +# # If you don't want to log but need to specify the # following column, place "_" here. # diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules index e55f2cc3e..3447d737b 100755 --- a/Samples/two-interfaces/rules +++ b/Samples/two-interfaces/rules @@ -31,6 +31,13 @@ # level (e.g, REJECT:info). This causes the packet to be # logged at the specified level. # +# Beginning with Shorewall version 1.3.12, you may +# also specify ULOG (must be in upper case) as a log level.\ +# This will log to the ULOG target and sent to a separate log +# through use of ulogd +# (http://www.gnumonks.org/projects/ulogd). +# +# # SOURCE Source hosts to which the rule applies. May be a zone # defined in /etc/shorewall/zones, $FW to indicate the # firewall itself, or "all" If the ACTION is DNAT or