1SHOREWALL-LOGGING(5)          Configuration Files         SHOREWALL-LOGGING(5)
2
3
4

NAME

6       logging - Shorewall logging
7

SYNOPSIS

9       action:level
10
11       NFLOG(nflog-parameters)
12
13       ULOG(ulog-parameters)
14

DESCRIPTION

16       The disposition of packets entering a Shorewall firewall is determined
17       by one of a number of Shorewall facilities. Only some of these
18       facilities permit logging.
19
20        1. The packet is part of an established connection. While the packet
21           can be logged using LOG rules in the ESTABLISHED section of
22           /etc/shorewall/rules[1], that is not recommended because of the
23           large amount of information that may be logged.
24
25        2. The packet represents a connection request that is related to an
26           established connection (such as a data connection associated with
27           an FTP control connection[2]). These packets may be logged using
28           LOG rules in the RELATED section of shorewall-rules(5)[1].
29
30        3. The packet is rejected because of an option in shorewall.conf[3](5)
31           or shorewall-interfaces(5)[4]. These packets can be logged by
32           setting the appropriate logging-related option in
33           /etc/shorewall/shorewall.conf[3].
34
35        4. The packet matches a rule in shorewall-rules[1](5). By including a
36           syslog level (see below) in the ACTION column of a rule (e.g.,
37           “ACCEPT:info net $FW tcp 22”), the connection attempt will be
38           logged at that level.
39
40        5. The packet doesn't match a rule so it is handled by a policy
41           defined in shorewall-policy(5)[5]. These may be logged by
42           specifying a syslog level in the LOG LEVEL column of the policy's
43           entry (e.g., “loc net ACCEPT info”).
44

DEFAULT LOGGING

46       By default, Shorewall directs Netfilter to log using syslog (8). Syslog
47       classifies log messages by a facility and a priority (using the
48       notation facility.priority).
49
50       The facilities defined by syslog are auth, authpriv, cron, daemon,
51       kern, lpr, mail, mark, news, syslog, user, uucp and local0 through
52       local7.
53
54       Throughout the Shorewall documentation, the term level rather than
55       priority is used, since level is the term used by Netfilter. The syslog
56       documentation uses the term priority.
57

SYSLOG LEVELS

59       Syslog levels are a method of describing to syslog (8) the importance
60       of a message. A number of Shorewall parameters have a syslog level as
61       their value.
62
63       Valid levels are:
64           7 - debug (Debug-level
65                 messages)
66           6 - info
67                 (Informational)
68           5 - notice (Normal but
69                 significant Condition)
70           4 - warning (Warning
71                 Condition)
72           3 - err (Error
73                 Condition)
74           2 - crit (Critical
75                 Conditions)
76           1 - alert (must be handled
77                 immediately)
78           0 - emerg (System is
79                 unusable)
80
81       For most Shorewall logging, a level of 6 (info) is appropriate.
82       Shorewall log messages are generated by Netfilter and are logged using
83       the kern facility and the level that you specify. If you are unsure of
84       the level to choose, 6 (info) is a safe bet. You may specify levels by
85       name or by number.
86
87       Beginning with Shorewall 4.5.5, the level name or number may be
88       optionally followed by a comma-separated list of one or more log
89       options. The list is enclosed in parentheses. Log options cause
90       additional information to be included in each log message.
91
92       Valid log options are:
93
94       ip_options
95           Log messages will include the option settings from the IP header.
96
97       macdecode
98           Decode the MAC address and protocol.
99
100       tcp_sequence
101           Include TCP sequence numbers.
102
103       tcp_options
104           Include options from the TCP header.
105
106       uid
107           Include the UID of the sending program; only valid for packets
108           originating on the firewall itself.
109
110       Example: info(tcp_options,tcp_sequence)
111
112       Syslogd writes log messages to files (typically in /var/log/*) based on
113       their facility and level. The mapping of these facility/level pairs to
114       log files is done in /etc/syslog.conf (5). If you make changes to this
115       file, you must restart syslogd before the changes can take effect.
116
117       Syslog may also write to your system console. See Shorewall FAQ 16[6]
118       for ways to avoid having Shorewall messages written to the console.
119

CONFIGURING A SEPARATE LOG FOR SHOREWALL MESSAGES (ULOGD)

121       There are a couple of limitations to syslogd-based logging:
122
123        1. If you give, for example, kern.info its own log destination then
124           that destination will also receive all kernel messages of levels 5
125           (notice) through 0 (emerg).
126
127        2. All kernel.info messages will go to that destination and not just
128           those from Netfilter.
129
130        3. Netfilter (Shorewall) messages show up in dmesg.
131
132       If your kernel has NFLOG target support (and most vendor-supplied
133       kernels do), you may also specify a log level of NFLOG (must be all
134       caps). When NFLOG is used, Shorewall will direct Netfilter to log the
135       related messages via the NFLOG target which will send them to a process
136       called “ulogd”. The ulogd program is included in most distributions.
137
138           Note
139           The NFLOG logging mechanism is completely separate from syslog.
140           Once you switch to NFLOG, the settings in /etc/syslog.conf have
141           absolutely no effect on your Shorewall logging (except for
142           Shorewall status messages which still go to syslog).
143
144       You will need to change all instances of log levels (usually “info”) in
145       your Shorewall configuration files to “NFLOG” - this includes entries
146       in the policy, rules and shorewall.conf files. If you initially
147       installed using Shorewall 5.1.2 or later, you can simply change the
148       setting of LOG_LEVEL in shorewall.conf.
149

UNDERSTANDING THE CONTENTS OF SHOREWALL LOG MESSAGES

151       For general information on the contents of Netfilter log messages, see
152       http://logi.cc/en/2010/07/netfilter-log-format/.
153
154       For Shorewall-specific information, see FAQ #17[7].
155

CUSTOMIZING THE CONTENT OF SHOREWALL LOG MESSAGES

157       In a Shorewall logging rule, the log level can be followed by a log tag
158       as in "DROP:NFLOG:junk". The generated log message will include
159       "chain-name junk DROP".
160
161       By setting the LOGTAGONLY option to Yes in shorewall.conf(5)[8] or
162       shorewall6.conf(5)[9], the disposition ('DROP' in the above example)
163       will be omitted. Consider the following rule:
164
165           #ACTION                                    SOURCE          DEST           PROTO
166           REJECT(icmp-proto-unreachable):notice:IPv6 loc             net            41      # who's using IPv6 tunneling
167
168       This rule generates the following warning at compile time:
169           WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
170                 /etc/shorewall/rules (line 212)
171
172       and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p ".
173
174       Now consider this similar rule:
175
176           #ACTION                                              SOURCE          DEST           PROTO
177           REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net            41      # who's using IPv6 tunneling
178
179       With LOGTAGONLY=Yes, no warning is generated and the prefix becomes
180       "Shorewall:IPv6:tunneling:"
181
182       See the shorewall[6].conf man page[10] for further information about
183       how LOGTAGONLY=Yes can be used.
184

LOG BACKENDS

186       Netfilter logging allows configuration of multiple backends. Logging
187       backends provide the The low-level forward of log messages. There are
188       currently three backends:
189
190       LOG (ipt_LOG and ip6t_LOG).
191           Normal kernel-based logging to a syslog daemon.
192
193       ULOG (ipt_ULOG)
194           ULOG logging as described ablve. Only available for IPv4.
195
196       netlink (nfnetlink_log)
197           The logging backend behind NFLOG, defined above.
198
199       The currently-available and currently-selected IPv4 and IPv6 backends
200       are shown in /proc/sys/net/netfilter/nf_log:
201
202           cat /proc/net/netfilter/nf_log
203            0 NONE (nfnetlink_log)
204            1 NONE (nfnetlink_log)
205            2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
206            3 NONE (nfnetlink_log)
207            4 NONE (nfnetlink_log)
208            5 NONE (nfnetlink_log)
209            6 NONE (nfnetlink_log)
210            7 NONE (nfnetlink_log)
211            8 NONE (nfnetlink_log)
212            9 NONE (nfnetlink_log)
213           10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
214           11 NONE (nfnetlink_log)
215           12 NONE (nfnetlink_log)
216
217       The magic numbers (0-12) are Linux address family numbers (AF_INET is 2
218       and AF_INET6 is 10).
219
220       The name immediately following the number is the currently-selected
221       backend, and the ones in parentheses are the ones that are available.
222       You can change the currently selected backend by echoing it's name into
223       /proc/net/netfilter/nf_log.number.
224
225       Example - change the IPv4 backend to LOG:
226
227           sysctl net.netfilter.nf_log.2=ipt_LOG
228
229       Beginning with Shorewall 4.6.4, you can configure the backend using the
230       LOG_BACKEND option in shorewall.conf(5)[3] and shorewall6.conf(5)[11].
231

SEE ALSO

233       http://www.shorewall.net/shorewall_logging.html[12]
234

NOTES

236        1. /etc/shorewall/rules
237           http://www.shorewall.netmanpages/shorewall-rules.html
238
239        2. data connection associated with an FTP control connection
240           http://www.shorewall.netFTP.html
241
242        3. shorewall.conf
243           http://www.shorewall.netmanpages/shorewall.conf.html
244
245        4. shorewall-interfaces(5)
246           http://www.shorewall.netmanpages/shorewall-interfaces.html
247
248        5. shorewall-policy(5)
249           http://www.shorewall.netmanpages/shorewall-policy.html
250
251        6. Shorewall FAQ 16
252           http://www.shorewall.netFAQ.htm#faq16
253
254        7. FAQ #17
255           http://www.shorewall.net/FAQ.htm#faq17
256
257        8. shorewall.conf(5)
258           http://www.shorewall.net/manpages/shorewall.conf.html
259
260        9. shorewall6.conf(5)
261           http://www.shorewall.net/manpages6/shorewall6.conf.html
262
263       10. shorewall[6].conf man page
264           http://www.shorewall.netshorewall.conf.html
265
266       11. shorewall6.conf(5)
267           http://www.shorewall.netmanpages6/shorewall6.conf.html
268
269       12. http://www.shorewall.net/shorewall_logging.html
270           http://www.shorewall.net/shorewall_logging.htm
271
272
273
274Configuration Files               08/05/2018              SHOREWALL-LOGGING(5)
Impressum