Hi, I managed to locate get traffic flowing on the bridge already. I didn''t realise that shorewall would restrict traffic on the bridge since it does not have an IP address. shorewall 2.4.2 eth0/2 - Bridged (No IP) eth1 - IP - 192.x.x.x eth0 and eth2 acts as a bridge between gateway router and local network. Traffic passes through with no problem when I put in "br0 loc routeback" in /etc/shorewall/interfaces. br0 is not defined anywhere else. Is is possible for me to put some sort of logging info on this interface? eg: br0:info or something? Thanks -- Ow Mun Heng Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM 98% Microsoft(tm) Free!! Neuromancer 14:52:01 up 4 days, 1:25, 4 users, load average: 3.05, 1.38, 1.32 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Monday 20 February 2006 22:56, Ow Mun Heng wrote:> > Is is possible for me to put some sort of logging info on this > interface? eg: br0:info or something?Yes. But you have to use normal logging rules in /etc/shorewall/rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tue, 2006-02-21 at 07:45 -0800, Tom Eastep wrote:> On Monday 20 February 2006 22:56, Ow Mun Heng wrote: > > > > > Is is possible for me to put some sort of logging info on this > > interface? eg: br0:info or something? > > Yes. But you have to use normal logging rules in /etc/shorewall/rules. >Okay.. So, would this be the way. (Just need to confirm since the box is remote and I don''t want to shoot myself in the foot again.) ACTION SRC DST Proto ACCEPT:info net loc all Thanks -- Ow Mun Heng Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM 98% Microsoft(tm) Free!! Neuromancer 11:51:42 up 13:26, 6 users, load average: 0.14, 0.19, 0.37 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tuesday 21 February 2006 19:51, Ow Mun Heng wrote:> On Tue, 2006-02-21 at 07:45 -0800, Tom Eastep wrote: > > On Monday 20 February 2006 22:56, Ow Mun Heng wrote: > > > Is is possible for me to put some sort of logging info on this > > > interface? eg: br0:info or something? > > > > Yes. But you have to use normal logging rules in /etc/shorewall/rules. > > Okay.. So, would this be the way. (Just need to confirm since the box is > remote and I don''t want to shoot myself in the foot again.) > > ACTION SRC DST Proto > ACCEPT:info net loc allHow could we POSSIBLY know? You are showing us one rule out of a complete IP/Netfilter configuration and asking us if it is correct! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wed, 2006-02-22 at 07:13 -0800, Tom Eastep wrote:> On Tuesday 21 February 2006 19:51, Ow Mun Heng wrote: > > On Tue, 2006-02-21 at 07:45 -0800, Tom Eastep wrote: > > > On Monday 20 February 2006 22:56, Ow Mun Heng wrote: > > > > Is is possible for me to put some sort of logging info on this > > > > interface? eg: br0:info or something? > > > > > > Yes. But you have to use normal logging rules in /etc/shorewall/rules. > > > > Okay.. So, would this be the way. (Just need to confirm since the box is > > remote and I don''t want to shoot myself in the foot again.) > > > > ACTION SRC DST Proto > > ACCEPT:info net loc all > > How could we POSSIBLY know?Sorry for the ambiguity.> You are showing us one rule out of a complete > IP/Netfilter configuration and asking us if it is correct! >/etc/shorewall/interfaces net eth1 detect dhcp,routefilter,norfc1918,tcpflags loc br0 detect routeback /etc/shorewall/rules ACCEPT net fw tcp 22 ACCEPT net fw tcp 443 That''s about it. So, adding this would be correct to get packets going through the bridge to get logged. ACCEPT:info net loc all Thanks.> -Tom-- Ow Mun Heng Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM 98% Microsoft(tm) Free!! Neuromancer 12:30:32 up 1 day, 14:05, 4 users, load average: 3.09, 2.66, 2.05 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ow Mun Heng wrote:> ... > That''s about it. So, adding this would be correct to get packets going > through the bridge to get logged. > > ACCEPT:info net loc allNo. If you want to log everything going through br0, you should use two policies - loc2all & all2loc. Tell us what you''re trying to achieve and why, rather than the nitty gritty of your problem. There''s probably a much better way to do it with another tool, like iptraf or ethereal. Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642