<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hello,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
There is `rp_filter` kernel feature that might affect you: <a href="https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/" id="LPNoLP833119">
https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/</a></div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Or this may be other routing problem, firewall or selinux.</div>
<br>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt">
It would worth checking if the packet arrives to the next hop using tcpdump.<br>
</div>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Br,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Antal<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Edvinas Kairys <edvinas.email@gmail.com><br>
<b>Sent:</b> Wednesday, April 8, 2020 19:57<br>
<b>To:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] mystique with spoof_address</font>
<div> </div>
</div>
<div>
<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div dir="ltr">
<div> Hello, i installed (yum install) following version on Centos 7 box.
<div><br>
</div>
<div>syslog-ng 3.5.6<br>
Installer-Version: 3.5.6<br>
Revision: <br>
Compile-Date: Dec 30 2015 19:57:24<br>
Available-Modules: affile,afprog,afsocket-notls,afsocket-tls,afsocket,afstomp,afuser,basicfuncs,confgen,cryptofuncs,csvparser,dbparser,linux-kmsg-format,syslogformat,system-source<br>
Enable-Debug: off<br>
Enable-GProf: off<br>
Enable-Memtrace: off<br>
Enable-IPv6: on<br>
Enable-Spoof-Source: on<br>
Enable-TCP-Wrapper: on<br>
Enable-Linux-Caps: on<br>
Enable-Pcre: on<br>
</div>
<div><br>
</div>
<div>My goal is to forward syslog messages 'untouched' but to change the source address to original one. For that case i'm using spoof-address.</div>
<div><br>
</div>
<div>My conf is like this:</div>
<div><br>
</div>
<div>options {<br>
flush_lines (0);<br>
time_reopen (10);<br>
log_fifo_size (1000);<br>
chain_hostnames (off);<br>
use_dns (no);<br>
use_fqdn (no);<br>
create_dirs (no);<br>
keep_hostname (no);<br>
mark-freq (0);<br>
};<br>
</div>
<div>source s_network {<br>
</div>
<div> udp(ip(0.0.0.0) port(514) flags(no-parse));<br>
<br>
};<br>
</div>
<div>destination d_syslog_tcp { network("10.13.33.125" transport("udp") port(5140) spoof-source(yes)); };<br>
</div>
<div>log { source(s_network); destination(d_syslog_tcp); };<br>
log { source(s_network); filter(f_default); destination(d_mesg); };<br>
# Source additional configuration files (.conf extension only)<br>
@include "/etc/syslog-ng/conf.d/*.conf"<br>
</div>
<div><br>
</div>
<div>Strange thing, that when I enable spoof-source, some packets are not transmitted to the destination. Even TCPDUMP says that it's sent, but i dont see some logs on destination box.</div>
<div>Could it be something with spoof_source command ? Also i didn't compiled it because i saw that SPOOF functionality is on in syslog-ng -V output.</div>
<div><br>
</div>
<div>Any suggestions ?</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div></div>
</div>
</div>
</div>
</div>
</body>
</html>