diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml
index c9936bdb5..643c6c080 100644
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -13,14 +13,20 @@
Eastep
+
+
+ Bill Shirley
+
- 2001 - 2015
+ 2001 - 2016
Thomas M. Eastep
+
+ Bill Shirley
@@ -463,9 +469,32 @@ sync=1
By setting the LOGTAGONLY option to Yes in shorewall.conf(5) or shorewall6.conf(5), the
- disposition ('DROP' in the above example) will be omitted. See the
- shorewall[6].conf man page for further information about how
- LOGTAGONLY=Yes can be used.
+ disposition ('DROP' in the above example) will be omitted. Consider the
+ following rule:
+
+ #ACTION SOURCE DEST PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6 loc net 41 # who's using IPv6 tunneling
+
+ This rule generates the following warning at compile time:
+
+
+ WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p
+ " /etc/shorewall/rules (line 212)
+
+
+ and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
+ ".
+
+ Now consider this similar rule:
+
+ #ACTION SOURCE DEST PROTO
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net 41 # who's using IPv6 tunneling
+
+ With LOGTAGONLY=Yes, no warning is generated and the prefix
+ becomes "Shorewall:IPv6:tunneling:"
+
+ See the shorewall[6].conf man page for further information about
+ how LOGTAGONLY=Yes can be used.
@@ -479,4 +508,72 @@ sync=1
linkend="LogTags">above.
+
+
+ Some Additional Thoughts on Logging (by Bill Shirley)
+
+ As a side note to the LOGTAGONLY example above, i recommend blocking
+ all tunneling because it bypasses the firewall rules:
+
+ #ACTION SOURCE DEST PROTO DPORT
+?COMMENT tunneling
+REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net 41 # who's using IPv6 tunneling
+REJECT(icmp-port-unreachable) loc net tcp,udp teredo
+REJECT(icmp-port-unreachable) loc net tcp,udp isakmp,ipsec-nat-t
+
+ Here is an example of logging traffic only once:
+
+ /etc/shorewall/init:
+
+ ipset -exist create IPv4 hash:ip timeout 86400
+ipset -exist create IPv4-port hash:ip,port timeout 14400
+
+ /etc/shorewall/rules (at the top):
+
+ #ACTION SOURCE DEST PROTO
+?SECTION NEW
+# ------------------
+?COMMENT drop previously flagged
+DROP net:+IPv4[src] fw
+DROP net:+IPv4-port[src,dst] fw
+
+ After all the rules have been checked, at the bottom of
+ /etc/shorewall/rules:
+
+ # =============================================================================
+# =============================== H@ck0rz =====================================
+# =============================================================================
+?COMMENT dont whack myself
+REJECT:notice inet:$ME_NET fw
+
+?COMMENT not public
+ADD(+IPv4-port:src,dst) net fw tcp,udp domain
+ADD(+IPv4-port:src,dst) net fw tcp ldap,ldaps
+ADD(+IPv4-port:src,dst) net fw tcp,udp ipp
+
+?COMMENT H@ck0rz
+ADD(+IPv4:src) net fw tcp ssh
+ADD(+IPv4:src) net fw tcp ftp,ftps,sftp,telnet,telnets,exec,login,shell,sunrpc
+ADD(+IPv4:src) net fw tcp,udp ms-sql-s,ms-sql-m
+
+?COMMENT drop if added
+DROP:info:BAN,IPv4 net:+IPv4[src] fw
+DROP:info:BAN,IPv4-port net:+IPv4-port[src,dst] fw
+
+ One final note: I wanted less firewall messages in /var/log/messages
+ so I added to rsyslog.conf:
+
+ #### RULES #### <-- find this
+if $msg contains 'Shorewall' then {
+ action(type="omfile" file="/var/log/shorewall.log")
+# if ($syslogfacility == 0 and $syslogseverity >= 4) then stop # warning
+# if ($syslogfacility == 0 and $syslogseverity >= 5) then stop # notice
+ if ($syslogfacility == 0 and $syslogseverity >= 6) then stop # info
+}
+
+ I log at 'notice' log level if I want the message in
+ /var/log/messages and everything goes to
+ /var/log/shorewall.log. Don't forget to add
+ /var/log/shorewall.log to logrotate.
+