shorewall-logging
5
Configuration Files
logging
Shorewall logging
action:level
NFLOG(nflog-parameters)
ULOG(ulog-parameters)
Description
The disposition of packets entering a Shorewall firewall is
determined by one of a number of Shorewall facilities. Only some of these
facilities permit logging.
The packet is part of an established connection. While the
packet can be logged using LOG rules in the ESTABLISHED section of
/etc/shorewall/rules, that
is not recommended because of the large amount of information that may
be logged.
The packet represents a connection request that is related to an
established connection (such as a data
connection associated with an FTP control connection). These
packets may be logged using LOG rules in the RELATED section of shorewall-rules(5).
The packet is rejected because of an option in shorewall.conf(5) or shorewall-interfaces(5).
These packets can be logged by setting the appropriate logging-related
option in /etc/shorewall/shorewall.conf.
The packet matches a rule in shorewall-rules(5). By
including a syslog level (see below) in the ACTION column of a rule
(e.g., ACCEPT:info net $FW tcp
22
), the connection attempt will be logged at that
level.
The packet doesn't match a rule so it is handled by a policy
defined in shorewall-policy(5).
These may be logged by specifying a syslog level in the LOG LEVEL
column of the policy's entry (e.g., loc net ACCEPT info
).
Default Logging
By default, Shorewall directs Netfilter to log using syslog (8).
Syslog classifies log messages by a facility and a
priority (using the notation
facility.priority).
The facilities defined by syslog are auth, authpriv, cron,
daemon, kern, lpr, mail, mark, news, syslog, user, uucp and
local0 through local7.
Throughout the Shorewall documentation, the term
level rather than priority is used,
since level is the term used by Netfilter.
The syslog documentation uses the term
priority.
Syslog Levels
Syslog levels are a method of describing to syslog (8) the
importance of a message. A number of Shorewall parameters have a syslog
level as their value.
Valid levels are:
7 - debug (Debug-level
messages)
6 - info
(Informational)
5 - notice (Normal but
significant Condition)
4 - warning (Warning
Condition)
3 - err (Error
Condition)
2 - crit (Critical
Conditions)
1 - alert (must be handled
immediately)
0 - emerg (System is
unusable)
For most Shorewall logging, a level of 6 (info) is appropriate.
Shorewall log messages are generated by Netfilter and are logged using the
kern facility and the level that you specify. If you
are unsure of the level to choose, 6 (info) is a safe bet. You may specify
levels by name or by number.
Beginning with Shorewall 4.5.5, the level
name or number may be optionally followed by a comma-separated list of one
or more log options. The list is enclosed in
parentheses. Log options cause additional information to be included in
each log message.
Valid log options are:
ip_options
Log messages will include the option settings from the IP
header.
macdecode
Decode the MAC address and protocol.
tcp_sequence
Include TCP sequence numbers.
tcp_options
Include options from the TCP header.
uid
Include the UID of the sending program; only valid for packets
originating on the firewall itself.
Example: info(tcp_options,tcp_sequence)
Syslogd writes log messages to files (typically in /var/log/*) based on their facility and
level. The mapping of these facility/level pairs to log files is done in
/etc/syslog.conf (5). If you make changes to this file, you must restart
syslogd before the changes can take effect.
Syslog may also write to your system console. See Shorewall FAQ 16 for ways to avoid having
Shorewall messages written to the console.
Configuring a Separate Log for Shorewall Messages (ulogd)
There are a couple of limitations to syslogd-based logging:
If you give, for example, kern.info its own log destination then
that destination will also receive all kernel messages of levels 5
(notice) through 0 (emerg).
All kernel.info messages will go to that destination and not
just those from Netfilter.
Netfilter (Shorewall) messages show up in
dmesg.
If your kernel has NFLOG target support (and most vendor-supplied
kernels do), you may also specify a log level of NFLOG (must be all caps).
When NFLOG is used, Shorewall will direct Netfilter to log the related
messages via the NFLOG target which will send them to a process called
ulogd
. The ulogd program is included in most
distributions.
The NFLOG logging mechanism is completely separate from syslog. Once you
switch to NFLOG, the settings in /etc/syslog.conf
have absolutely no effect on your Shorewall logging (except for
Shorewall status messages which still go to syslog).
You will need to change all instances of log levels (usually
info
) in your Shorewall configuration files to
NFLOG
- this includes entries in the policy, rules and
shorewall.conf files. If you initially installed using Shorewall 5.1.2 or
later, you can simply change the setting of LOG_LEVEL in
shorewall.conf.
Understanding the Contents of Shorewall Log Messages
For general information on the contents of Netfilter log messages,
see http://logi.cc/en/2010/07/netfilter-log-format/.
For Shorewall-specific information, see FAQ #17.
Customizing the Content of Shorewall Log Messages
In a Shorewall logging rule, the log level can be followed by a
log tag as in "DROP:NFLOG:junk". The generated log
message will include "chain-name junk DROP".
By setting the LOGTAGONLY option to Yes in shorewall.conf(5) or shorewall6.conf(5), the
disposition ('DROP' in the above example) will be omitted. Consider the
following rule:
#ACTION SOURCE DEST PROTO
REJECT(icmp-proto-unreachable):notice:IPv6 loc net 41 # who's using IPv6 tunneling
This rule generates the following warning at compile time:
WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
/etc/shorewall/rules (line 212)
and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p
".
Now consider this similar rule:
#ACTION SOURCE DEST PROTO
REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net 41 # who's using IPv6 tunneling
With LOGTAGONLY=Yes, no warning is generated and the prefix becomes
"Shorewall:IPv6:tunneling:"
See the shorewall[6].conf man
page for further information about how LOGTAGONLY=Yes can be
used.
Log Backends
Netfilter logging allows configuration of multiple backends. Logging
backends provide the The low-level forward of log messages. There are
currently three backends:
LOG (ipt_LOG and ip6t_LOG).
Normal kernel-based logging to a syslog daemon.
ULOG (ipt_ULOG)
ULOG logging as described ablve. Only available for
IPv4.
netlink (nfnetlink_log)
The logging backend behind NFLOG, defined above.
The currently-available and currently-selected IPv4 and IPv6
backends are shown in /proc/sys/net/netfilter/nf_log:
cat /proc/net/netfilter/nf_log
0 NONE (nfnetlink_log)
1 NONE (nfnetlink_log)
2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
3 NONE (nfnetlink_log)
4 NONE (nfnetlink_log)
5 NONE (nfnetlink_log)
6 NONE (nfnetlink_log)
7 NONE (nfnetlink_log)
8 NONE (nfnetlink_log)
9 NONE (nfnetlink_log)
10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
The magic numbers (0-12) are Linux address family numbers (AF_INET
is 2 and AF_INET6 is 10).
The name immediately following the number is the currently-selected
backend, and the ones in parentheses are the ones that are available. You
can change the currently selected backend by echoing it's name into
/proc/net/netfilter/nf_log.number.
Example - change the IPv4 backend to LOG:
sysctl net.netfilter.nf_log.2=ipt_LOG
Beginning with Shorewall 4.6.4, you can configure the backend using
the LOG_BACKEND option in shorewall.conf(5) and shorewall6.conf(5).
SEE ALSO
https://shorewall.org/shorewall_logging.html