1SHOREWALL-LOGGING(5) Configuration Files SHOREWALL-LOGGING(5)
2
3
4
6 logging - Shorewall logging
7
9 action:level
10
11 NFLOG(nflog-parameters)
12
13 ULOG(ulog-parameters)
14
16 The disposition of packets entering a Shorewall firewall is determined
17 by one of a number of Shorewall facilities. Only some of these
18 facilities permit logging.
19
20 1. The packet is part of an established connection. While the packet
21 can be logged using LOG rules in the ESTABLISHED section of
22 /etc/shorewall/rules[1], that is not recommended because of the
23 large amount of information that may be logged.
24
25 2. The packet represents a connection request that is related to an
26 established connection (such as a data connection associated with
27 an FTP control connection[2]). These packets may be logged using
28 LOG rules in the RELATED section of shorewall-rules(5)[1].
29
30 3. The packet is rejected because of an option in shorewall.conf[3](5)
31 or shorewall-interfaces(5)[4]. These packets can be logged by
32 setting the appropriate logging-related option in
33 /etc/shorewall/shorewall.conf[3].
34
35 4. The packet matches a rule in shorewall-rules[1](5). By including a
36 syslog level (see below) in the ACTION column of a rule (e.g.,
37 “ACCEPT:info net $FW tcp 22”), the connection attempt will be
38 logged at that level.
39
40 5. The packet doesn't match a rule so it is handled by a policy
41 defined in shorewall-policy(5)[5]. These may be logged by
42 specifying a syslog level in the LOG LEVEL column of the policy's
43 entry (e.g., “loc net ACCEPT info”).
44
46 By default, Shorewall directs Netfilter to log using syslog (8). Syslog
47 classifies log messages by a facility and a priority (using the
48 notation facility.priority).
49
50 The facilities defined by syslog are auth, authpriv, cron, daemon,
51 kern, lpr, mail, mark, news, syslog, user, uucp and local0 through
52 local7.
53
54 Throughout the Shorewall documentation, the term level rather than
55 priority is used, since level is the term used by Netfilter. The syslog
56 documentation uses the term priority.
57
59 Syslog levels are a method of describing to syslog (8) the importance
60 of a message. A number of Shorewall parameters have a syslog level as
61 their value.
62
63 Valid levels are:
64 7 - debug (Debug-level
65 messages)
66 6 - info
67 (Informational)
68 5 - notice (Normal but
69 significant Condition)
70 4 - warning (Warning
71 Condition)
72 3 - err (Error
73 Condition)
74 2 - crit (Critical
75 Conditions)
76 1 - alert (must be handled
77 immediately)
78 0 - emerg (System is
79 unusable)
80
81 For most Shorewall logging, a level of 6 (info) is appropriate.
82 Shorewall log messages are generated by Netfilter and are logged using
83 the kern facility and the level that you specify. If you are unsure of
84 the level to choose, 6 (info) is a safe bet. You may specify levels by
85 name or by number.
86
87 Beginning with Shorewall 4.5.5, the level name or number may be
88 optionally followed by a comma-separated list of one or more log
89 options. The list is enclosed in parentheses. Log options cause
90 additional information to be included in each log message.
91
92 Valid log options are:
93
94 ip_options
95 Log messages will include the option settings from the IP header.
96
97 macdecode
98 Decode the MAC address and protocol.
99
100 tcp_sequence
101 Include TCP sequence numbers.
102
103 tcp_options
104 Include options from the TCP header.
105
106 uid
107 Include the UID of the sending program; only valid for packets
108 originating on the firewall itself.
109
110 Example: info(tcp_options,tcp_sequence)
111
112 Syslogd writes log messages to files (typically in /var/log/*) based on
113 their facility and level. The mapping of these facility/level pairs to
114 log files is done in /etc/syslog.conf (5). If you make changes to this
115 file, you must restart syslogd before the changes can take effect.
116
117 Syslog may also write to your system console. See Shorewall FAQ 16[6]
118 for ways to avoid having Shorewall messages written to the console.
119
121 There are a couple of limitations to syslogd-based logging:
122
123 1. If you give, for example, kern.info its own log destination then
124 that destination will also receive all kernel messages of levels 5
125 (notice) through 0 (emerg).
126
127 2. All kernel.info messages will go to that destination and not just
128 those from Netfilter.
129
130 3. Netfilter (Shorewall) messages show up in dmesg.
131
132 If your kernel has NFLOG target support (and most vendor-supplied
133 kernels do), you may also specify a log level of NFLOG (must be all
134 caps). When NFLOG is used, Shorewall will direct Netfilter to log the
135 related messages via the NFLOG target which will send them to a process
136 called “ulogd”. The ulogd program is included in most distributions.
137
138 Note
139 The NFLOG logging mechanism is completely separate from syslog.
140 Once you switch to NFLOG, the settings in /etc/syslog.conf have
141 absolutely no effect on your Shorewall logging (except for
142 Shorewall status messages which still go to syslog).
143
144 You will need to change all instances of log levels (usually “info”) in
145 your Shorewall configuration files to “NFLOG” - this includes entries
146 in the policy, rules and shorewall.conf files. If you initially
147 installed using Shorewall 5.1.2 or later, you can simply change the
148 setting of LOG_LEVEL in shorewall.conf.
149
151 For general information on the contents of Netfilter log messages, see
152 http://logi.cc/en/2010/07/netfilter-log-format/.
153
154 For Shorewall-specific information, see FAQ #17[7].
155
157 In a Shorewall logging rule, the log level can be followed by a log tag
158 as in "DROP:NFLOG:junk". The generated log message will include
159 "chain-name junk DROP".
160
161 By setting the LOGTAGONLY option to Yes in shorewall.conf(5)[8] or
162 shorewall6.conf(5)[8], the disposition ('DROP' in the above example)
163 will be omitted. Consider the following rule:
164
165 #ACTION SOURCE DEST PROTO
166 REJECT(icmp-proto-unreachable):notice:IPv6 loc net 41 # who's using IPv6 tunneling
167
168 This rule generates the following warning at compile time:
169 WARNING: Log Prefix shortened to "Shorewall:IPv6:REJECT(icmp-p "
170 /etc/shorewall/rules (line 212)
171
172 and produces the rather ugly prefix "Shorewall:IPv6:REJECT(icmp-p ".
173
174 Now consider this similar rule:
175
176 #ACTION SOURCE DEST PROTO
177 REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc net 41 # who's using IPv6 tunneling
178
179 With LOGTAGONLY=Yes, no warning is generated and the prefix becomes
180 "Shorewall:IPv6:tunneling:"
181
182 See the shorewall[6].conf man page[9] for further information about how
183 LOGTAGONLY=Yes can be used.
184
186 Netfilter logging allows configuration of multiple backends. Logging
187 backends provide the The low-level forward of log messages. There are
188 currently three backends:
189
190 LOG (ipt_LOG and ip6t_LOG).
191 Normal kernel-based logging to a syslog daemon.
192
193 ULOG (ipt_ULOG)
194 ULOG logging as described ablve. Only available for IPv4.
195
196 netlink (nfnetlink_log)
197 The logging backend behind NFLOG, defined above.
198
199 The currently-available and currently-selected IPv4 and IPv6 backends
200 are shown in /proc/sys/net/netfilter/nf_log:
201
202 cat /proc/net/netfilter/nf_log
203 0 NONE (nfnetlink_log)
204 1 NONE (nfnetlink_log)
205 2 ipt_ULOG (ipt_ULOG,ipt_LOG,nfnetlink_log)
206 3 NONE (nfnetlink_log)
207 4 NONE (nfnetlink_log)
208 5 NONE (nfnetlink_log)
209 6 NONE (nfnetlink_log)
210 7 NONE (nfnetlink_log)
211 8 NONE (nfnetlink_log)
212 9 NONE (nfnetlink_log)
213 10 ip6t_LOG (ip6t_LOG,nfnetlink_log)
214 11 NONE (nfnetlink_log)
215 12 NONE (nfnetlink_log)
216
217 The magic numbers (0-12) are Linux address family numbers (AF_INET is 2
218 and AF_INET6 is 10).
219
220 The name immediately following the number is the currently-selected
221 backend, and the ones in parentheses are the ones that are available.
222 You can change the currently selected backend by echoing it's name into
223 /proc/net/netfilter/nf_log.number.
224
225 Example - change the IPv4 backend to LOG:
226
227 sysctl net.netfilter.nf_log.2=ipt_LOG
228
229 Beginning with Shorewall 4.6.4, you can configure the backend using the
230 LOG_BACKEND option in shorewall.conf(5)[3] and shorewall6.conf(5)[3].
231
233 http://www.shorewall.net/shorewall_logging.html[10]
234
236 1. /etc/shorewall/rules
237 https://shorewall.orgmanpages/shorewall-rules.html
238
239 2. data connection associated with an FTP control connection
240 https://shorewall.orgFTP.html
241
242 3. shorewall.conf
243 https://shorewall.orgmanpages/shorewall.conf.html
244
245 4. shorewall-interfaces(5)
246 https://shorewall.orgmanpages/shorewall-interfaces.html
247
248 5. shorewall-policy(5)
249 https://shorewall.orgmanpages/shorewall-policy.html
250
251 6. Shorewall FAQ 16
252 https://shorewall.orgFAQ.htm#faq16
253
254 7. FAQ #17
255 https://shorewall.org/FAQ.htm#faq17
256
257 8. shorewall.conf(5)
258 https://shorewall.org/manpages/shorewall.conf.html
259
260 9. shorewall[6].conf man page
261 https://shorewall.orgshorewall.conf.html
262
263 10. http://www.shorewall.net/shorewall_logging.html
264 https://shorewall.org/shorewall_logging.htm
265
266
267
268Configuration Files 01/15/2020 SHOREWALL-LOGGING(5)