summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2007-07-16 13:24:19 +0000
committerRainer Gerhards <rgerhards@adiscon.com>2007-07-16 13:24:19 +0000
commitd16264098402ef33e1e5441eb6884e7359ee8add (patch)
tree062543e8904d649de720f3a1449e3a76cf44ca40 /doc
parent109b7831c38d808b37fbfc14070d9316b507ea7b (diff)
downloadrsyslog-d16264098402ef33e1e5441eb6884e7359ee8add.tar.gz
rsyslog-d16264098402ef33e1e5441eb6884e7359ee8add.tar.xz
rsyslog-d16264098402ef33e1e5441eb6884e7359ee8add.zip
added $AllowedSender patch by mildew@gmail.com
Diffstat (limited to 'doc')
-rw-r--r--doc/bugs.html12
-rw-r--r--doc/contributors.html5
-rw-r--r--doc/features.html3
-rw-r--r--doc/rsyslog_conf.html14
4 files changed, 19 insertions, 15 deletions
diff --git a/doc/bugs.html b/doc/bugs.html
index b441d583..0e6621e2 100644
--- a/doc/bugs.html
+++ b/doc/bugs.html
@@ -11,19 +11,9 @@ bug tracker at sourceforge.net</a>. This list here contains more architectural
things while the bug tracker most often lists things that you will actually
experience. Please be sure to visit the bug tracker in addition to this list
here.</p>
-<p>This list has last been updated on 2007-06-28 by
+<p>This list has last been updated on 2007-07-16 by
<a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer Gerhards</a>.</p>
<h1>rsyslogd</h1>
-<h2>AllowedSender and IPv6</h2>
-<p>AllowedSenders currently can be used with IPv4, only. IPv6 senders are always
-allowed. If you need access control for IPv6, use iptables. AllowedSender
-support for IPv6 will most probably be added. Please note that you can also
-disable IPv6 support by specifying -4 on the command line.</p>
-<h2>REPEATED LOG LINES</h2>
-<p>If multiple log lines with the exact same content are received,
- the duplicates are NOT suppressed. This is done by sysklogd
- in all cases. We plan to add this as an optional feature,
- but as of now every line is logged.</p>
<h2>EQUALLY-NAMED TEMPLATES</h2>
<p>If multiple templates with the SAME name are created, all but the
first definition is IGNORED. So you can NOT (yet) replace a
diff --git a/doc/contributors.html b/doc/contributors.html
index eaab1841..1cfa766f 100644
--- a/doc/contributors.html
+++ b/doc/contributors.html
@@ -27,6 +27,11 @@ Project Initiator and Maintainer</p>
<li>provided patch with regex functionality for filters on 2007-07-14, first
seen in 1.16.1</li>
</ul>
+<h2>mildew@gmail.com</h2>
+<ul>
+ <li>provided a large patch to enhance $AllowedSender directive for IPv6 as
+ well as DNS nams</li>
+</ul>
<p><font size="2">Last Updated: 2007-07-16</font></p>
</body>
</html>
diff --git a/doc/features.html b/doc/features.html
index 02bebabb..f104a2dc 100644
--- a/doc/features.html
+++ b/doc/features.html
@@ -23,7 +23,8 @@ is going on, you can also subscribe to the <a href="http://lists.adiscon.net/mai
rollover command execution<li>support for running multiple rsyslogd
instances on a single machine<li>support for <a href="rsyslog_stunnel.html">
ssl-protected syslog</a> (via stunnel)<li>ability to filter on any part of
- the message, not just facility and severity<li>support for discarding
+ the message, not just facility and severity<li>ability to use regular
+ expressions in filters<li>support for discarding
messages based on filters<li>ability to execute shell scripts on received
messages<li>control of whether the local hostname or the hostname of the
origin of the data is shown as the hostname in the output<li>ability to
diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html
index f1165619..262738a0 100644
--- a/doc/rsyslog_conf.html
+++ b/doc/rsyslog_conf.html
@@ -45,7 +45,10 @@ error message. &quot;ip[/bits]&quot; is a machine or network ip address as in
&quot;192.0.2.0/24&quot; or &quot;127.0.0.1&quot;. If the &quot;/bits&quot; part is omitted, a single host is
assumed (32 bits or mask 255.255.255.255). &quot;/0&quot; is not allowed, because that
would match any sending system. If you intend to do that, just remove all $AllowedSender
-directives. If more than 32 bits are requested, they are adjusted to 32.
+directives. If more than 32 bits are requested with IPv4, they are adjusted to 32.
+For IPv6, the limit is 128 for obvious reasons. Hostnames, with and without
+wildcards, may also be provided. If so, the result of revers DNS resolution is
+used for filtering.
Multiple allowed senders can be specified in a comma-delimited list. Also,
multiple $AllowedSender lines can be given. They are all combined into one UDP
and one TCP list. Performance-wise, it is good to specify those allowed senders
@@ -56,13 +59,18 @@ the first action after receiving a message. This keeps the access to potential
vulnerable code in rsyslog at a minimum. However, it is still a good idea to
impose allowed sender limitations via firewalling.</p>
<p><b>WARNING:</b> by UDP design, rsyslogd can not identify a spoofed sender
-address in UDP syslog packets. As such, a malicous person could spoof the adress
+address in UDP syslog packets. As such, a malicious person could spoof the
+address
of an allowed sender, send such packets to rsyslogd and rsyslogd would accept
them as being from the faked sender. To prevent this, use syslog via TCP
exclusively. If you need to use UDP-based syslog, make sure that you do proper
egress and ingress filtering at the firewall and router level.</p>
+<p>Rsyslog also detects some kind of malicious reverse DNS entries. In any case,
+using DNS names adds an extra layer of vulnerability. We recommend to stick with
+hard-coded IP addresses whereever possible.</p>
<p>An example for an allowed sender list is as follows:</p>
-<p><code><b>$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24</b></code></p>
+<p><code><b>$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128,
+*.example.net, somehost.example.com</b></code></p>
<h2>UMASK</h2>
<p>The $umask directive allows to specify the rsyslogd processes' umask. If not
specified, the system-provided default is used. The value given must always be a