IPv6 – logging and shorewall6

Following on from my early success at get IPv6 running, I soon hit a significant issue: firewall logging.


Now this need not be a “blocker” for everyone, but I take my firewall logging duties quite seriously…!

shorewall IPv4 logging

Currently I have IPv4 shorewall configured to log not using the standard syslog mechanism, but instead to use ulogd. This allows me to easily log firewall activity to an entirely separate set of log files very easily. It is absolutely not mandatory, but it’s neat and tidy. I then have fwlogwatch to nightly analyse the logs and automatically email the interesting bits to me for occasional checking.

To enable this I have appropriate pointers to use of ULOG in shorewall’s policy and rules files as follows:

ext all DROP ULOG

and, for example:


ACCEPT:ULOG all fwall 47

One then has an appropriate config in /etc/ulogd.conf to file things where you want them.

shorewall6 IPv6 logging

Having installed shorewall6 in a simple form and got it working, I naively assumed I could log in a similar manner as with the IPv4 version of shorewall. Oh no – I find ulogd is no longer supported in shorewall6 and the choices are:
  • syslog
  • nflog

The syslog option I specifically did not want, so I decided I’d better find out about nflog (Net Filter Log). It turns out that nflog is actually more commonly referred to as ulogd2, and is a dramatically enhanced version of the original ulog. In fact it’s so different that it is, for all practical purposes, an entirely different thing. Trying to relate ulog to ulog2 is a pretty futile exercise. Work on the basis that they are unrelated and it’ll prove less frustrating.

Anyway, the learning curve with ulogd2 was a bit steep, but it turns out to be a very neat product. Here I will present some key points that should help you to get it up, running and integrated on a Ubuntu system. Oh, and it’s not available as a pre-built package… Sorry – didn’t I mention that?

Implementing NFLOG (aka ulogd2) on a Ubuntu firewall

The first step to follow is to get hold of the ulogd2 source tree and build it. I worried that this would take me some time, but found a tremendously helpful article someone had already written which aided me a lot. (Thank you Pollux!)

If you’re familiar with building from source, that page will give you most of what you need. Here are a few points to add:
  • I’d suggest leaving the build PREFIX unspecified (i.e. default) so it will ultimately install in the /usr/local/ hierarchy. This means you can get it all working in parallel with an existing ulogd installation – much cleaner and safer!
  • Since we want to emulate ulogd just in so far as we are able to log to a disk file, disable any of the Postgres or MySQL build options to make things more compact and simple (unless of course you want to make use of these neat new features within ulogd2!)
  • Much of the article referenced assume that you will be logging to a database – keep it simple for now and ignore that.

ulogd2 config highlights

Once ulogd2 is installed, you need to copy the supplied ulogd.conf from the source tree you used to build into /usr/local/etc.
The contents of this file took a little working out, but here I present the key elements required in order to have ulogd2 set up to allow:
  • IPv6 to be logged to one file
  • IPv4 to be logged to another file (this used to be done using the original ulogd)
Once completed and the two shorewall configs tweaked to make use of it, this new ulogd2 replaces the previously used ulogd. Note that this is optional: you can have both versions of ulogd coexist. However it’s a lot cleaner and easier to maintain if just one subsystem is used. But that’s entirely a personal choice.

plugins section


stacks section

# this is a stack for logging packets to syslog after a collect via NFLOG

log section

# Using log4 for IPv4
# Using log6 for IPv6

log-specific sections

# IPv4
# IPv6

Changes to shorewall configs

And finally we need to tweak shorewall and shorewallt6 to use the new log facility. For shorewall6 that means simply adding the appropriate NFLOG references within the policies and/or rules. For shorewall IPv4 one simply has to replace existing ULOG references with an appropriate NFLOG reference.

shorewall6 additions

So my (very very over-logged – but then my IPv6 is still at the experimental stage…!) policy file is now:

#Source         Dest            Policy          Log             Burst/Limit
fwall           all             DROP            NFLOG(6)
int             all             DROP            NFLOG(6)
ext             all             DROP            NFLOG(6)
all             all             DROP            NFLOG(6)
And to test logging from individual rules I’ve specified rules as:
ACCEPT:NFLOG(6) ext     fwall   ipv6-icmp
ACCEPT:NFLOG(6) fwall   ext     ipv6-icmp

shorewall (IPv4) changes

And over in my IPv4 shorewall I just changed any reference to ULOG to read NFLOG(4), for example, where policy previously read:

office all DROP ULOG
it now reads
office all DROP NFLOG(4)

In Summary

If you are implementing IPv6 with shorewall6, ulog cannot be used for logging. You must either go back to the crude-but-efective use of syslog or go forward to NFLOG / ulogd2. Implementing ulogd2 is not entirely trivial, since it is not yet a pre-built package for Ubuntu. However building and implementing it is far from impossible if you’ve a little experience in such matters. And as a bonus, once implemented you can drop the original ulog and integrate both IPv4 and IPv6 logging within NFLOG.
Worth noting is that while we’ve achieved an elegant split between IPv4 and IPv6 firewall logs using ulog2d, while I can continue to process my IPv4 logs every night using fwlogwatch, as before, the processing and analysis of the IPv6 logs is another issue altogether! fwlogwatch is an old tool and does not process IPv6 log files. I’ll sort that out in a later article.

4 comments to IPv6 – logging and shorewall6

  • Update: with ulogd2 STILL beta, you are still required to build it yourself. To make matters even a touch more complicated, the latest beta4 of ulogd2 required the latest and greatest libnetfilter_log to be built and installed also (i.e. libnetfilter_log >= 1.0) Also the newest libnetfilter_conntrack…

    The sooner ulogd2 goes mainstream and is available as a binary build in distros the better!

  • Mark

    Thanks a lot for this post, it’s easy to understand and well written.

    Some advice for people who, like me, are copypasting from this page: do note that the double-quotes in log-specific sections need to be replaced after you paste them. ” is different from ” 🙂