===================================================================
RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v
retrieving revision 2.10
retrieving revision 2.11
diff -u -p -r2.10 -r2.11
--- scripts/shell/firewall/fw-universal.sh	2005/01/04 23:56:23	2.10
+++ scripts/shell/firewall/fw-universal.sh	2005/01/13 13:31:54	2.11
@@ -9,7 +9,7 @@
 # Licensed under terms of GNU General Public License.
 # All rights reserved.
 #
-# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.9 2005/01/04 19:58:42 rajo Exp $
+# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.10 2005/01/04 23:56:23 rajo Exp $
 #
 # Changelog:
 # 2003-10-24 - created
@@ -33,7 +33,7 @@ DEFAULT_POLICY="${DEFAULT_POLICY:=DROP}"
 # which modules to load
 MODULES="${MODULES:=}"
 
-LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10}"
+LOG_LIMIT="${LOG_LIMIT:=-m limit --limit 12/h --limit-burst 10 -j LOG --log-level notice --log-prefix}"
 
 # Paths:
 #IPTABLES=":" # for testing only - does nothing
@@ -139,14 +139,14 @@ nmap_scan_filter()
 
 	for chain in INPUT FORWARD; do
 		#  Nie je nastaveny ziaden bit
-		$IPTABLES -A $chain   -p TCP --tcp-flags ALL NONE  $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain ALL NONE: "
+		$IPTABLES -A $chain   -p TCP --tcp-flags ALL NONE  $LOG_LIMIT "nmap scan $chain ALL NONE: "
 		echo -en "."
 		$IPTABLES -A $chain   -p TCP --tcp-flags ALL NONE -j DROP 
 		echo -en "."
 
 		# dva odporujuuce si flagy su nastavene:
 		for flags in   SYN,FIN   SYN,RST   FIN,RST   ; do
-			$IPTABLES -A $chain   -p TCP --tcp-flags $flags $flags $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain $flags: "
+			$IPTABLES -A $chain   -p TCP --tcp-flags $flags $flags $LOG_LIMIT "nmap scan $chain $flags: "
 			echo -en "."
 			$IPTABLES -A $chain   -p TCP --tcp-flags $flags $flags -j DROP 
 			echo -en "."
@@ -154,7 +154,7 @@ nmap_scan_filter()
 
 		# je nastavene len $flags bez predpokladaneho ACK
 		for flags in   FIN   PSH   URG   ; do
-			$IPTABLES -A $chain   -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT -j LOG --log-prefix "nmap scan $chain ACK,$flags: "
+			$IPTABLES -A $chain   -p TCP --tcp-flags ACK,$flags $flags $LOG_LIMIT "nmap scan $chain ACK,$flags: "
 			echo -en "."
 			$IPTABLES -A $chain   -p TCP --tcp-flags ACK,$flags $flags -j DROP 
 			echo -en "."
@@ -171,7 +171,7 @@ invalid_packet_filter()
 	
 	echo -en "Turning on INVALID packet filter "
 	for chain in INPUT OUTPUT FORWARD; do
-		$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT  -j LOG --log-prefix "INVALID $chain: "
+		$IPTABLES -A $chain -m state --state INVALID $LOG_LIMIT "INVALID $chain: "
 		echo -en "."
 		$IPTABLES -A $chain -m state --state INVALID -j DROP 
 		echo -en "."
@@ -208,18 +208,18 @@ anti_spoof_filter()
 		$IPTABLES -N spoof
 
 		# Ochrana proti Spoogingu zo spatnej slucky
-		$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 src" 
+		$IPTABLES -A spoof -s 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 src" 
 		$IPTABLES -A spoof -s 127.0.0.0/8 -j DROP 
-		$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT -j LOG --log-prefix "RESERVED:127.0.0.0/8 dest"
+		$IPTABLES -A spoof -d 127.0.0.0/8 $LOG_LIMIT "RESERVED:127.0.0.0/8 dest"
 		$IPTABLES -A spoof -d 127.0.0.0/8 -j DROP
 		# Ochrana proti Spoofingu Internetu z adries urcenych pre lokalne siete 
-		$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT -j LOG --log-prefix "RESERVED:192.168.0.0/16 src"
+		$IPTABLES -A spoof -s 192.168.0.0/16 $LOG_LIMIT "RESERVED:192.168.0.0/16 src"
 		$IPTABLES -A spoof -s 192.168.0.0/16 -j DROP 		# RFC1918
-		$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT -j LOG --log-prefix "RESERVED:172.16.0.0/12 src"
+		$IPTABLES -A spoof -s 172.16.0.0/12 $LOG_LIMIT "RESERVED:172.16.0.0/12 src"
 		$IPTABLES -A spoof -s 172.16.0.0/12 -j DROP 		# RFC1918
-		$IPTABLES -A spoof -s 10.0.0.0/8  $LOG_LIMIT -j LOG --log-prefix "RESERVED:10.0.0.0/8 src"
+		$IPTABLES -A spoof -s 10.0.0.0/8  $LOG_LIMIT "RESERVED:10.0.0.0/8 src"
 		$IPTABLES -A spoof -s 10.0.0.0/8 -j DROP  # RFC1918 len pre sietovy interface do Internetu, kedze 10.0.0.0 je adresa LAN
-		$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT -j LOG --log-prefix "RESERVED:96.0.0.0/4 src"
+		$IPTABLES -A spoof -s 96.0.0.0/4 $LOG_LIMIT "RESERVED:96.0.0.0/4 src"
 		$IPTABLES -A spoof -s 96.0.0.0/4 -j DROP  			# IANA
 
 		for iface in $ANTISPOOF_IFACE; do
@@ -488,7 +488,7 @@ log_input_drop()
 
 	prefix="input drop: "
 	echo "Input drop is logged with prefix '$prefix'"
-	$IPTABLES -A INPUT $LOG_LIMIT -j LOG --log-prefix "$prefix"
+	$IPTABLES -A INPUT $LOG_LIMIT "$prefix"
 
 } # }}}
 
@@ -497,7 +497,7 @@ log_output_drop()
 
 	prefix="output drop: "
 	echo "Output drop is logged with prefix '$prefix'"
-	$IPTABLES -A OUTPUT $LOG_LIMIT -j LOG --log-prefix "$prefix"
+	$IPTABLES -A OUTPUT $LOG_LIMIT "$prefix"
 
 } # }}}
 
@@ -506,7 +506,7 @@ log_forward_drop()
 
 	prefix="forward drop: "
 	echo "Forward drop is logged with prefix '$prefix'"
-	$IPTABLES -A FORWARD $LOG_LIMIT -j LOG --log-prefix "$prefix"
+	$IPTABLES -A FORWARD $LOG_LIMIT "$prefix"
 
 } # }}}