Dan Harkless
2003-Oct-09 17:40 UTC
[Shorewall-users] ''accounting'' chain always shows 0 packets on 1-interface machine
Hello. I just upgraded to shorewall-1.4.7 and was trying to play with the new accounting feature, but it doesn''t seem to do anything. I searched through the mailing list archives and didn''t find an answer to this. This particular box is a Red Hat Linux web/mail/DNS server with a single Ethernet interface. I copied the first example from <http://www.shorewall.net/Accounting.html> into my ''accounting'' file, but with the ''eth1''s changed to ''eth0s'', since I only have a single interface, and restarted shorewall. No warnings in the ''restart'' output. I generated some web traffic, and then did a ''shorewall show accounting'', but the packet and byte counts were 0. I next tried the second example from Accounting.html, but got the same 0-count results when doing a ''shorewall show web''. I then tried changing one instance of "eth0" on each line to the name of my machine (in the appropriate position for source vs. dest.). No change. Does accounting not work for single-interface machines or something? If it *is* supposed to work, any chance of a single-interface example in Accounting.html? What I''d ultimately like is a setup that allows me to see a count for HTTP/HTTPS traffic, a count for SMTP/SMTPS traffic, and a general count of all traffic going in and out of the machine. Damned if I can figure out how to do this from the docs, though. Also, one unrelated question. Was it intentional that starting with shorewall 1.4.6c, the MD5 sums file is now just called "md5sums", rather than, e.g. "1.4.6c.md5sums", like it used to be? This is annoying because I download all my versions of shorewall to a single directory, meaning I must remember to rename "md5sums" after downloading it, so I don''t clobber it next time. (I like to keep the old versions around in case I ever need to downgrade, diff old vs. new versions, etc.) -- Dan Harkless http://harkless.org/dan/
Tom Eastep
2003-Oct-09 18:05 UTC
[Shorewall-users] ''accounting'' chain always shows 0 packets on 1-interface machine
On Thu, 9 Oct 2003, Dan Harkless wrote:> > Hello. I just upgraded to shorewall-1.4.7 and was trying to play with the > new accounting feature, but it doesn''t seem to do anything. I searched > through the mailing list archives and didn''t find an answer to this. > > This particular box is a Red Hat Linux web/mail/DNS server with a single > Ethernet interface. > > I copied the first example from <http://www.shorewall.net/Accounting.html> > into my ''accounting'' file, but with the ''eth1''s changed to ''eth0s'', since I > only have a single interface, and restarted shorewall. No warnings in the > ''restart'' output. > > I generated some web traffic, and then did a ''shorewall show accounting'', > but the packet and byte counts were 0. > > I next tried the second example from Accounting.html, but got the same > 0-count results when doing a ''shorewall show web''. > > I then tried changing one instance of "eth0" on each line to the name of my > machine (in the appropriate position for source vs. dest.). No change. > > Does accounting not work for single-interface machines or something? >Works fine here -- just be sure that the Destination column is blank or contains "all", "any" or "-".> If it *is* supposed to work, any chance of a single-interface example in > Accounting.html? > > What I''d ultimately like is a setup that allows me to see a count for > HTTP/HTTPS traffic, a count for SMTP/SMTPS traffic, and a general count of > all traffic going in and out of the machine. Damned if I can figure out how > to do this from the docs, though. > > Also, one unrelated question. Was it intentional that starting with > shorewall 1.4.6c, the MD5 sums file is now just called "md5sums", rather > than, e.g. "1.4.6c.md5sums", like it used to be? This is annoying because I > download all my versions of shorewall to a single directory, meaning I must > remember to rename "md5sums" after downloading it, so I don''t clobber it > next time. (I like to keep the old versions around in case I ever need to > downgrade, diff old vs. new versions, etc.) >Since each release now has it''s own directory that contains all of the files, I just haven''t bothered to uniquely rename the md5sum files. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Dan Harkless
2003-Oct-09 18:31 UTC
[Shorewall-users] ''accounting'' chain always shows 0 packets on 1-interface machine
On October 9, 2003, Tom Eastep <teastep@shorewall.net> wrote:> Works fine here -- just be sure that the Destination column is blank or > contains "all", "any" or "-".Ah. The accounting documentation doesn''t say anything about that. It says you can use: The name of an interface, an address (host or net) or an interface name followed by ":" and a host or net address. Perhaps in your definition, "all", "any", and "-" count as "an address", but that could be made a whole bunch more clear. That didn''t help, though: www-root> diff -u accounting.orig accounting --- accounting.orig 2003-10-06 15:14:39.000000000 -0700 +++ accounting 2003-10-09 18:09:46.000000000 -0700 @@ -69,5 +69,7 @@ # #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE # PORT PORT +DONE - any eth0 tcp 80 +DONE - eth0 any tcp - 80 # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE www-root> GET http://www/ | head -4 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <TITLE>Harkless.org -- The website of the Harkless family</TITLE> www-root> shorewall show accounting Shorewall-1.4.7 Chain accounting at www - Thu Oct 9 18:17:12 PDT 2003 Counters reset Thu Oct 9 18:09:52 PDT 2003 Chain accounting (3 references) pkts bytes target prot opt in out source destination 0 0 RETURN tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 RETURN tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 Other relevant configuration info: www-root> ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:2c:02:fb:88 brd ff:ff:ff:ff:ff:ff inet 207.12.255.2/24 brd 207.12.255.255 scope global eth0 www-root> ip route show 207.12.255.0/24 dev eth0 scope link 169.254.0.0/16 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 207.12.255.1 dev eth0 (That 169.254.0.0/16 scared the hell out of me until I did some research and found out it''s some sort of goofy Windows interoperability thing Red Hat stuck in in version 9. I now have NOZEROCONF=yes in /etc/sysconfig/network-scripts/ifcfg-eth0 to get rid of it next time I reboot.) www-root> diff -u interfaces.orig interfaces --- interfaces.orig 2003-10-06 15:14:39.000000000 -0700 +++ interfaces 2003-10-09 15:51:23.000000000 -0700 @@ -142,4 +142,6 @@ # net ppp0 - ############################################################################## #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect routefilter,tcpflags +#net eth0 detect tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE www-root> diff -u policy.orig policy --- policy.orig 2003-10-06 15:14:39.000000000 -0700 +++ policy 2003-10-09 15:56:17.000000000 -0700 @@ -73,7 +73,7 @@ ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL -loc net ACCEPT +fw net ACCEPT net all DROP info # # THE FOLLOWING POLICY MUST BE LAST www-root> diff -u rules.orig rules | fgrep 80 +ACCEPT net fw tcp 80 www-root> diff -u zones.orig zones --- zones.orig 2003-10-06 15:14:39.000000000 -0700 +++ zones 2003-10-09 16:01:58.000000000 -0700 @@ -14,6 +14,4 @@ # #ZONE DISPLAY COMMENTS net Net Internet -loc Local Local networks -dmz DMZ Demilitarized zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE> > What I''d ultimately like is a setup that allows me to see a count for > > HTTP/HTTPS traffic, a count for SMTP/SMTPS traffic, and a general count of > > all traffic going in and out of the machine. Damned if I can figure out how > > to do this from the docs, though.Any comment on this? Even if I can get this working for port 80, it''s still not clear to me what the right syntax would be to have dedicated chains for a few protocols and then a "master" chain counting all traffic. Accounting.html could use another example or two.> > Also, one unrelated question. Was it intentional that starting with > > shorewall 1.4.6c, the MD5 sums file is now just called "md5sums", rather > > than, e.g. "1.4.6c.md5sums", like it used to be? This is annoying because I > > download all my versions of shorewall to a single directory, meaning I must > > remember to rename "md5sums" after downloading it, so I don''t clobber it > > next time. (I like to keep the old versions around in case I ever need to > > downgrade, diff old vs. new versions, etc.) > > Since each release now has it''s own directory that contains all of the > files, I just haven''t bothered to uniquely rename the md5sum files.Yeah, I figured that was the reason behind it. I just wanted to point out that people downloading shorewall aren''t likely to maintain such a directory structure on their own machine (esp. since they''ll generally just be downloading two files per release: one "flavor" of shorewall (e.g. RPM), plus the md5sums file). This requires renaming after each download to prevent future clobbering. -- Dan Harkless http://harkless.org/dan/
Tom Eastep
2003-Oct-09 18:55 UTC
[Shorewall-users] ''accounting'' chain always shows 0 packets on 1-interface machine
On Thu, 9 Oct 2003, Dan Harkless wrote:> > On October 9, 2003, Tom Eastep <teastep@shorewall.net> wrote: > > Works fine here -- just be sure that the Destination column is blank or > > contains "all", "any" or "-". > > Ah. The accounting documentation doesn''t say anything about that. It says > you can use: > > The name of an interface, an address (host or net) or an interface name > followed by ":" and a host or net address. > > Perhaps in your definition, "all", "any", and "-" count as "an address", but > that could be made a whole bunch more clear. >Both the HTML documentation and the accounting file point out that in all columns except the ACTION and CHAIN columns, the values "any", "all" and "-" may be used as wildcards.> That didn''t help, though: > > www-root> diff -u accounting.orig accounting > --- accounting.orig 2003-10-06 15:14:39.000000000 -0700 > +++ accounting 2003-10-09 18:09:46.000000000 -0700 > @@ -69,5 +69,7 @@ > # > #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE > # PORT PORT > +DONE - any eth0 tcp 80 > +DONE - eth0 any tcp - 80 > #Well, I wouldn''t expect those rules to work on an HTTP server where the outgoing traffic will have source port 80 and the incoming traffic will have destination port 80; you have them the other way around.> > > > What I''d ultimately like is a setup that allows me to see a count for > > > HTTP/HTTPS traffic, a count for SMTP/SMTPS traffic, and a general count of > > > all traffic going in and out of the machine. Damned if I can figure out how > > > to do this from the docs, though. > > Any comment on this?No. Anything comments that I might make tonight, I would probably regret in the morning.> Even if I can get this working for port 80, it''s still > not clear to me what the right syntax would be to have dedicated chains for > a few protocols and then a "master" chain counting all traffic. > Accounting.html could use another example or two. >I''ll try to get something added this weekend...> > Yeah, I figured that was the reason behind it. I just wanted to point out > that people downloading shorewall aren''t likely to maintain such a directory > structure on their own machine (esp. since they''ll generally just be > downloading two files per release: one "flavor" of shorewall (e.g. RPM), > plus the md5sums file). This requires renaming after each download to > prevent future clobbering. >No comment. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Dan Harkless
2003-Oct-09 19:14 UTC
[Shorewall-users] ''accounting'' chain always shows 0 packets on 1-interface machine
On October 9, 2003, Tom Eastep <teastep@shorewall.net> wrote:> > The name of an interface, an address (host or net) or an interface name > > followed by ":" and a host or net address. > > > > Perhaps in your definition, "all", "any", and "-" count as "an address", but > > that could be made a whole bunch more clear. > > Both the HTML documentation and the accounting file point out that in all > columns except the ACTION and CHAIN columns, the values "any", "all" and > "-" may be used as wildcards.Okay, I see it now. Thanks. I was looking specifically at the SOURCE and DESTINATION descriptions.> > That didn''t help, though: > > > > www-root> diff -u accounting.orig accounting > > --- accounting.orig 2003-10-06 15:14:39.000000000 -0700 > > +++ accounting 2003-10-09 18:09:46.000000000 -0700 > > @@ -69,5 +69,7 @@ > > # > > #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE > > # PORT PORT > > +DONE - any eth0 tcp 80 > > +DONE - eth0 any tcp - 80 > > # > > Well, I wouldn''t expect those rules to work on an HTTP server where the > outgoing traffic will have source port 80 and the incoming traffic will > have destination port 80; you have them the other way around.Umm, are you sure?? The first line has "any" as the source and "eth0" as the DESTINATION. "" as the source port, and "80" as the destination (a little confusing since the field order is SOURCE DEST ... DEST SOURCE). That''s any machine on the network, going to my external interface, hitting my port 80 (from any source port). The next line is the reverse of that. That sure looks correct to me... For the heck of it, though, I tried reversing "any" and "eth0" on the two lines, restarted shorewall, generated some traffic, and still got 0 counts.> > > > What I''d ultimately like is a setup that allows me to see a count for > > > > HTTP/HTTPS traffic, a count for SMTP/SMTPS traffic, and a general count of > > > > all traffic going in and out of the machine. Damned if I can figure out how > > > > to do this from the docs, though. > > > > Any comment on this? > > No. Anything comments that I might make tonight, I would probably regret > in the morning.Uhh, okay... Guess I caught you at a bad time. I''ll hold off any followups to that question until at least the port-80-only case is working.> > Accounting.html could use another example or two. > > I''ll try to get something added this weekend...Excellent.> > Yeah, I figured that was the reason behind it. I just wanted to point out > > that people downloading shorewall aren''t likely to maintain such a directory > > structure on their own machine (esp. since they''ll generally just be > > downloading two files per release: one "flavor" of shorewall (e.g. RPM), > > plus the md5sums file). This requires renaming after each download to > > prevent future clobbering. > > No comment.Hmm. I''d feel better if you''d say, "Noted, but I''m too busy to run the ''mv'' command once per release so all the downloaders don''t have to worry about file clobbering issues" than just the mysterious "No comment". -- Dan Harkless http://harkless.org/dan/
Tom Eastep
2003-Oct-09 19:35 UTC
[Shorewall-users] ''accounting'' chain always shows 0 packets on 1-interface machine
On Thu, 2003-10-09 at 19:12, Dan Harkless wrote:> On October 9, 2003, Tom Eastep <teastep@shorewall.net> wrote: > > > The name of an interface, an address (host or net) or an interface name > > > followed by ":" and a host or net address. > > > > > > Perhaps in your definition, "all", "any", and "-" count as "an address", but > > > that could be made a whole bunch more clear. > > > > Both the HTML documentation and the accounting file point out that in all > > columns except the ACTION and CHAIN columns, the values "any", "all" and > > "-" may be used as wildcards. > > Okay, I see it now. Thanks. I was looking specifically at the SOURCE and > DESTINATION descriptions. > > > > That didn''t help, though: > > > > > > www-root> diff -u accounting.orig accounting > > > --- accounting.orig 2003-10-06 15:14:39.000000000 -0700 > > > +++ accounting 2003-10-09 18:09:46.000000000 -0700 > > > @@ -69,5 +69,7 @@ > > > # > > > #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE > > > # PORT PORT > > > +DONE - any eth0 tcp 80 > > > +DONE - eth0 any tcp - 80 > > > # > > > > Well, I wouldn''t expect those rules to work on an HTTP server where the > > outgoing traffic will have source port 80 and the incoming traffic will > > have destination port 80; you have them the other way around. > > Umm, are you sure?? The first line has "any" as the source and "eth0" as > the DESTINATION. "" as the source port, and "80" as the destination (a > little confusing since the field order is SOURCE DEST ... DEST SOURCE). > That''s any machine on the network, going to my external interface, hitting > my port 80 (from any source port). The next line is the reverse of that. > That sure looks correct to me... >>From my server (with one interface - eth0). I just threw thistogether... [root@lists root]# tail /etc/shorewall/accounting # # Please see http://shorewall.net/Accounting.html for examples and # additional information about how to use this file. # #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE # PORT PORT DONE - eth0 any tcp 80 DONE - any eth0 tcp - 80 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE [root@lists root]# shorewall show accounting Shorewall-1.4.7 Chain accounting at lists.shorewall.net - Thu Oct 9 19:32:31 PDT 2003 Counters reset Thu Oct 9 19:32:16 PDT 2003 Chain accounting (3 references) pkts bytes target prot opt in out source destination 8 635 RETURN tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 5 1594 RETURN tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80 [root@lists root]# shorewall version 1.4.7 [root@lists root]#> For the heck of it, though, I tried reversing "any" and "eth0" on the two > lines, restarted shorewall, generated some traffic, and still got 0 counts.See above.> > > > > > What I''d ultimately like is a setup that allows me to see a count for > > > > > HTTP/HTTPS traffic, a count for SMTP/SMTPS traffic, and a general count of > > > > > all traffic going in and out of the machine. Damned if I can figure out how > > > > > to do this from the docs, though. > > > > > > Any comment on this? > > > > No. Anything comments that I might make tonight, I would probably regret > > in the morning. > > Uhh, okay... Guess I caught you at a bad time. I''ll hold off any followups > to that question until at least the port-80-only case is working.Thanks -- I''ve had a hell of a day.> > > > Accounting.html could use another example or two. > > > > I''ll try to get something added this weekend... > > Excellent. > > > > Yeah, I figured that was the reason behind it. I just wanted to point out > > > that people downloading shorewall aren''t likely to maintain such a directory > > > structure on their own machine (esp. since they''ll generally just be > > > downloading two files per release: one "flavor" of shorewall (e.g. RPM), > > > plus the md5sums file). This requires renaming after each download to > > > prevent future clobbering. > > > > No comment. > > Hmm. I''d feel better if you''d say, "Noted, but I''m too busy to run the ''mv'' > command once per release so all the downloaders don''t have to worry about > file clobbering issues" than just the mysterious "No comment".Fine Dan -- wouldn''t want to tire you fingers. I''ll try to do better in the future.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Dan Harkless
2003-Oct-09 20:10 UTC
[Shorewall-users] ''accounting'' chain always shows 0 packets on 1-interface machine
On October 9, 2003, Tom Eastep <teastep@shorewall.net> wrote:> > Umm, are you sure?? The first line has "any" as the source and "eth0" as > > the DESTINATION. "" as the source port, and "80" as the destination (a > > little confusing since the field order is SOURCE DEST ... DEST SOURCE). > > That''s any machine on the network, going to my external interface, hitting > > my port 80 (from any source port). The next line is the reverse of that. > > That sure looks correct to me... > > >From my server (with one interface - eth0). I just threw this > together... > > [root@lists root]# tail /etc/shorewall/accounting > # > # Please see http://shorewall.net/Accounting.html for examples and > # additional information about how to use this file. > # > #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE > # PORT PORT > DONE - eth0 any tcp 80 > DONE - any eth0 tcp - 80 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > [root@lists root]# shorewall show accounting > Shorewall-1.4.7 Chain accounting at lists.shorewall.net - Thu Oct 9 > 19:32:31 PDT 2003 > > Counters reset Thu Oct 9 19:32:16 PDT 2003 > > Chain accounting (3 references) > pkts bytes target prot opt in out source > destination > 8 635 RETURN tcp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:80 > 5 1594 RETURN tcp -- * eth0 0.0.0.0/0 > 0.0.0.0/0 tcp spt:80 > [root@lists root]# shorewall version > 1.4.7 > [root@lists root]# > > > For the heck of it, though, I tried reversing "any" and "eth0" on the two > > lines, restarted shorewall, generated some traffic, and still got 0 counts. > > See above.Okay, I think I see why I wasn''t seeing any results. After reversing "eth0" and "any" to match the order you specify above, I tried that ''GET http://www/'' command I showed before, and the counters remained 0. However, if I generate some traffic from an *external* machine, the counts do go up now. Is it the case that the: fw net ACCEPT line I have in ''policy'' prevents accounting from being done on traffic originating from the machine itself? If so, that might be worth documenting in Accounting.html. I still don''t understand why the order you give above is correct, though, unless the "DEST PORT" and "SOURCE PORT" columns are just mis-labeled. To take the second line as an example, if we''re talking about traffic from ''any'', going to my ''eth0'' interface, why should the SOURCE PORT be 80? If it''s traffic to my webserver, shouldn''t 80 be the DEST PORT...?> > Uhh, okay... Guess I caught you at a bad time. I''ll hold off any followups > > to that question until at least the port-80-only case is working. > > Thanks -- I''ve had a hell of a day.My condolences. Now that port 80 is working, I''ll poke around to see if I can get the full setup working before doing any further querying on that.> > > > Yeah, I figured that was the reason behind it. I just wanted to > > > > point out that people downloading shorewall aren''t likely to > > > > maintain such a directory structure on their own machine (esp. since > > > > they''ll generally just be downloading two files per release: one > > > > "flavor" of shorewall (e.g. RPM), plus the md5sums file). This > > > > requires renaming after each download to prevent future clobbering. > > > > > > No comment. > > > > Hmm. I''d feel better if you''d say, "Noted, but I''m too busy to run the ''mv'' > > command once per release so all the downloaders don''t have to worry about > > file clobbering issues" than just the mysterious "No comment". > > Fine Dan -- wouldn''t want to tire you fingers. I''ll try to do better in > the future....And I wouldn''t want you to tire yours! ;^> I''m just trying to decrease entropy in the universe. If you did the ''mv'' once on your end, you''d save your users (who keep multiple versions) from all having to do it on an individual basis. I wouldn''t even have mentioned it, except that you used to do it that way (and were still doing it for a couple versions after putting each release in its own subdirectory). -- Dan Harkless http://harkless.org/dan/
Dan Harkless
2003-Oct-28 19:10 UTC
[Shorewall-users] ''accounting'' chain always shows 0 packets on 1-interface machine
On October 9, 2003, "Dan Harkless" <shorewall-users@harkless.org> wrote: [...]> Also, one unrelated question. Was it intentional that starting with > shorewall 1.4.6c, the MD5 sums file is now just called "md5sums", rather > than, e.g. "1.4.6c.md5sums", like it used to be? This is annoying because I > download all my versions of shorewall to a single directory, meaning I must > remember to rename "md5sums" after downloading it, so I don''t clobber it > next time. (I like to keep the old versions around in case I ever need to > downgrade, diff old vs. new versions, etc.)Hi, Tom. I was just upgrading from 1.4.7 to 1.4.7c and I see you went back to the old more-convenient-for-the-end-user 1.4.7c.md5sums naming convention. Thanks -- you rock. -- Dan Harkless http://harkless.org/dan/