Hello! We''re using Shorewall 1.4.2 and running into an interesting problem when we try to enable logging of traffic that netfilter classifies as "related" to an existing connection: there doesn''t seem to be a way to do it. Places where we''ve run into this problem are: (1) Attempting to log individual active or passive FTP data connections separately from their overriding control connection (2) Attempting to log ICMP error messages In both cases, it seems as though, although we can write Shorewall rules that would seem to cover these cases, they are never reached in practice because the first rule Shorewall always writes into a chain is one that ACCEPTs traffic matching states ESTABLISHED or RELATED. Does anyone have any suggestions for how we can log "related" traffic? Thanks! Tim
On Thu, 24 Jul 2003 10:45:45 +0900, Tim Burress <tim@ambisys.com> wrote:> > Does anyone have any suggestions for how we can log "related" traffic? >Shorewall is oriented more towards security than accounting -- if you need to log related connections, you should consider using another firewall configuration tool. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 23 Jul 2003 20:55:39 -0700, Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 24 Jul 2003 10:45:45 +0900, Tim Burress <tim@ambisys.com> wrote: >> >> Does anyone have any suggestions for how we can log "related" traffic? >> > > Shorewall is oriented more towards security than accounting -- if you > need to log related connections, you should consider using another > firewall configuration tool.Or if you want to study the Shorwall-generated ruleset, you can probably do what you want by supplying a Shorewall extension (http://www.shorewall.net/shorewall_extension_scripts.htm) -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 2003-07-23 at 21:05, Tom Eastep wrote:> Or if you want to study the Shorewall-generated ruleset, you can probably do > what you want by supplying a Shorewall extension > (http://www.shorewall.net/shorewall_extension_scripts.htm) >To log related TCP connections from the net to your local network, you can use something like: run_iptables -I net2loc -m state --state RELATED \ -p tcp --syn -j LOG --log-level info \ --log-prefix "Shorewall:net2loc:ACCEPT" Just be aware that this rule will be tested for every packet that traverses the firewall from the net zone to the dmz zone. A couple of other observations: a) Such logging is not really suitable for auditing since the Netfilter logging mechanisms are strictly "best effort". Consequently, the absence of a record for a particular connection in the logs does not imply that the connection did not occur. Similarly, the presence of a log message in the log only indicates that an attempt at the connection was made -- it does not indicate whether the connection was successfully negotiated. b) Proxys offer more robust logging than does Netfilter. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net