From 37913a6ca1e1d0427b60928801505c1dfb8db0d3 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 20 Sep 2004 23:13:45 +0000 Subject: [PATCH] Add Martian Logging git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1633 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/firewall | 31 +++++++++++++++++++++++++++++-- Shorewall2/interfaces | 8 ++++++++ Shorewall2/shorewall.conf | 11 +++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 6ace5c70e..77a0d7d2e 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -899,7 +899,7 @@ validate_interfaces_file() { for option in $options; do case $option in - dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|nosmurfs|-) + dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|logmartians|blacklist|proxyarp|maclist|nosmurfs|-) ;; detectnets) [ -n "$wildcard" ] && \ @@ -5848,7 +5848,7 @@ add_common_rules() { save_progress_message "Restoring Route Filtering..." for f in /proc/sys/net/ipv4/conf/*; do - run_and_save_command "[ -f $f/rp_filter ] && echo 0 > $f/rp_filter" + run_and_save_command "[ -f $f/rp_filter ] && echo 0 > $f/rp_filter" done for interface in $interfaces; do @@ -5870,6 +5870,31 @@ add_common_rules() { run_and_save_command ip route flush cache fi + # + # Martian Logging + # + interfaces="$(find_interfaces_by_option logmartians)" + + if [ -n "$interfaces" -o -n "$LOG_MARTIANS" ]; then + echo "Setting up Martian Logging..." + + save_progress_message "Restoring Martian Logging..." + + for f in /proc/sys/net/ipv4/conf/*; do + run_and_save_command "[ -f $f/log_martians ] && echo 0 > $f/log_martians" + done + + for interface in $interfaces; do + file=/proc/sys/net/ipv4/conf/$interface/log_martians + if [ -f $file ]; then + run_and_save_command "echo 1 > $file" + else + error_message \ + "Warning: Cannot set Martian logging on $interface" + fi + done + fi + if [ -n "$DYNAMIC_ZONES" ]; then echo "Setting up Dynamic Zone Chains..." @@ -6737,6 +6762,7 @@ do_initialize() { BLACKLIST_LOGLEVEL= CLAMPMSS= ROUTE_FILTER= + LOG_MARTIANS= DETECT_DNAT_IPADDRS= MUTEX_TIMEOUT= NEWNOTSYN= @@ -6868,6 +6894,7 @@ do_initialize() { CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) + LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS) FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING) [ -n "$FORWARDPING" ] && \ diff --git a/Shorewall2/interfaces b/Shorewall2/interfaces index 3a5d3e93e..12228f3e6 100644 --- a/Shorewall2/interfaces +++ b/Shorewall2/interfaces @@ -80,6 +80,14 @@ # option can also be enabled globally in # the /etc/shorewall/shorewall.conf file. # +# logmartians - turn on kernel martian logging (logging +# of packets with impossible source +# addresses. It is suggested that if you +# set routefilter on an interface that +# you also set logmartians. This option +# may also be enabled globally in the +# /etc/shorewall/shorewall.conf file. +# # blacklist - Check packets arriving on this interface # against the /etc/shorewall/blacklist # file. diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf index b6b5e9db8..94bd06340 100755 --- a/Shorewall2/shorewall.conf +++ b/Shorewall2/shorewall.conf @@ -214,6 +214,17 @@ SMURF_LOG_LEVEL=info # BOGON_LOG_LEVEL=info + +# +# MARTIAN LOGGING +# +# Setting LOG_MARTIANS=Yes will enable kernel logging of all received packets +# that have impossible source IP addresses. This logging may be enabled +# on individual interfaces by using the 'logmartians' option in +# /etc/shorewall/interfaces. +# + +LOG_MARTIANS=No ################################################################################ # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ################################################################################