diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 086531c16..66672b27f 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -6,6 +6,8 @@ Changes in 3.2.0 Beta 2
3) Add 'refreshed' extension script.
+4) Implement 'logdrop' and 'logreject'
+
Changes in 3.1.x. and 3.2.x
1) Removal of dynamic zones.
diff --git a/Shorewall/compiler b/Shorewall/compiler
index 8a44126e7..ffcdda2a8 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -7261,15 +7261,23 @@ initialize_netfilter () {
createchain reject no
createchain dynamic no
+ createchain logdrop no
+ createchain logreject no
createchain smurfs no
+ log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP
+ log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT
+
+ run_iptables -A logdrop -j DROP
+ run_iptables -A logreject -j reject
+
indent >&3 << __EOF__
if [ -f /var/lib/shorewall/save ]; then
progress_message2 "Setting up dynamic rules..."
while read target ignore1 ignore2 address rest; do
case \$target in
- DROP|reject)
+ DROP|reject|logdrop|logreject)
run_iptables -A dynamic -s \$address -j \$target
;;
esac
diff --git a/Shorewall/help b/Shorewall/help
index ff6a3c7a3..372c5298e 100755
--- a/Shorewall/help
+++ b/Shorewall/help
@@ -161,7 +161,7 @@ drop)
echo "$1: $1
...
Causes packets from the specified to be ignored
- Shorewall allow, drop, reject and save implement dynamic blacklisting.
+ Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
@@ -215,12 +215,30 @@ iprange)
equivalent list of network/host addresses."
;;
+logdrop)
+ echo "$1: $1 ...
+ Causes packets from the specified to be ignored and loged.
+
+ Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+
+ See also \"help address\""
+ ;;
+
logwatch)
echo "logwatch: logwatch []
Monitors the LOGFILE, $LOGFILE,
and produces an audible alarm when new Shorewall messages are logged."
;;
+logreject)
+ echo "$1: $1 ...
+ Causes packets from the specified to be rejected and logged.
+
+ Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+
+ See also \"help address\""
+ ;;
+
refresh)
echo "refresh: refresh
The rules involving the broadcast addresses of firewall interfaces,
@@ -232,7 +250,7 @@ reject)
echo "$1: $1 ...
Causes packets from the specified to be rejected
- Shorewall allow, drop, rejct and save implement dynamic blacklisting.
+ Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
@@ -283,7 +301,7 @@ save)
and 'shorewall -f start' commands. If is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
- Shorewall allow, drop, rejct and save implement dynamic blacklisting.
+ Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;;
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 244d4d0db..dbd0f6214 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -43,6 +43,17 @@ Other changes in 3.2.0 Beta 2
1) A 'refreshed' extension script has been added -- it is executed after
"shorewall refresh" has finished.
+2) Two new dynamic blacklisting commands have been added:
+
+ logdrop -- like 'drop' but causes the dropped packets to be logged.
+
+ logreject -- like 'reject' but causes the rejected packets to be
+ logged.
+
+ Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
+ last "shorewall [re]start"; otherwise, they are logged at the 'info'
+ log level.
+
Migration Considerations:
1) A number of macros have been split into two. The macros affected are:
diff --git a/Shorewall/shorewall b/Shorewall/shorewall
index b2e4d9469..578fef2b3 100755
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -1314,6 +1314,8 @@ usage() # $1 = exit status
echo " ipcalc { / | }"
echo " ipdecimal { | }"
echo " iprange -"
+ echo " logdrop ..."
+ echo " logreject ..."
echo " logwatch []"
echo " refresh"
echo " reject ..."
@@ -1777,6 +1779,8 @@ case "$COMMAND" in
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
+ qt $IPTABLES -D dynamic -s $1 -j logreject
+ qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
@@ -1786,7 +1790,7 @@ case "$COMMAND" in
exit 2
fi
;;
- reject)
+ logdrop)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
@@ -1795,7 +1799,29 @@ case "$COMMAND" in
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
- $IPTABLES -A dynamic -s $1 -j reject || break 1
+ qt $IPTABLES -D dynamic -s $1 -j logreject
+ qt $IPTABLES -D dynamic -s $1 -j logdrop
+ $IPTABLES -A dynamic -s $1 -j logdrop || break 1
+ echo "$1 Dropped"
+ done
+ mutex_off
+ else
+ error_message "ERROR: Shorewall is not started"
+ exit 2
+ fi
+ ;;
+ reject|logreject)
+ [ -n "$debugging" ] && set -x
+ [ $# -eq 1 ] && usage 1
+ if shorewall_is_started ; then
+ mutex_on
+ while [ $# -gt 1 ]; do
+ shift
+ qt $IPTABLES -D dynamic -s $1 -j reject
+ qt $IPTABLES -D dynamic -s $1 -j DROP
+ qt $IPTABLES -D dynamic -s $1 -j logreject
+ qt $IPTABLES -D dynamic -s $1 -j logdrop
+ $IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
echo "$1 Rejected"
done
mutex_off
@@ -1811,7 +1837,11 @@ case "$COMMAND" in
mutex_on
while [ $# -gt 1 ]; do
shift
- if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
+ if qt $IPTABLES -D dynamic -s $1 -j reject ||\
+ qt $IPTABLES -D dynamic -s $1 -j DROP ||\
+ qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
+ qt $IPTABLES -D dynamic -s $1 -j logreject
+ then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"