extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-16 17:51:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document audited default actions

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-24 07:24:15 -07:00
parent c5b38de69c
commit 704f3fdd55
2 changed files with 14 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Shorewall/releasenotes.txt
View File

@ -141,6 +141,11 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
#ACTION SOURCE DEST #ACTION SOURCE DEST
rejNonSyn(audit) net all rejNonSyn(audit) net all
h) There are audited versions of the standard Default Actions
named ADrop and AReject. Note that these audit everything that
they do so you will probably want to make your own copies and
modify them to only audit the packets that you care about.
6) Up to this release, the behaviors of 'start -f' and 'restart -f' 6) Up to this release, the behaviors of 'start -f' and 'restart -f'
has been inconsistent. The 'start -f' command compares the has been inconsistent. The 'start -f' command compares the
modification times of /etc/shorewall[6] with modification times of /etc/shorewall[6] with

60
docs/Audit.xml
View File

@ -221,58 +221,16 @@ A_ACCEPT:info loc net ...</programlisting>
<listitem> <listitem>
<para>The builtin actions (dropBroadcast, rejNonSyn, etc.) now support <para>The builtin actions (dropBroadcast, rejNonSyn, etc.) now support
an 'audit' parameter which causes all ACCEPT, DROP and REJECTs an 'audit' parameter which causes all ACCEPT, DROP and REJECTs
performed by the action to be audited. This allows creation of audited performed by the action to be audited. </para>
versions of the Shorewall-provided default actions (action.Drop and </listitem>
action.Reject).</para>
<note> <listitem>
<para>The builtin actions are those actions listed in the output of <para>There are audited versions of the standard <ulink
<command>shorewall show actions</command> whose names begin with a url="Actions.html#Default">Default Actions</ulink> (ADrop and
lower-case letter.</para> AReject). These actions audit everything they do which is probably
</note> more than you want; as a consequence, you probably will want to make
your own copies of these actions and modify them to only audit the
<para>Here's a version of action.Drop that does auditing:</para> packets that you are interested in.</para>
<programlisting>#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Count packets that come through here
#
COUNT
#
# Reject 'auth'
#
A_REJECT - - tcp
#
# Don't log broadcasts
#
dropBcast(audit)
#
# ACCEPT critical ICMP types
#
AudAllowICMPs - - icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid(audit)
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
AudSMB(DROP)
AudDropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn(audit) - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
A_DROP - - udp - 53</programlisting>
<para>The 'Aud...' macros would be auditing versions of their standard
macro counterparts (if you are interested in auditing those connection
types).</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>