Shorewall devel - Jul 2002 - Shorewall connection logging question

I have a perferctly working shorewall system, with basic configuration
(external real IP, one private address internal network with some 
forwarded services), and log handling with fwlogwatch.

My problem is that I can''t find out how to make something like this
with shorewall (TCP-connections only):
   - Allow protocol x connections from IP x.x.x.x without logging 
   - Allow protocol x connections from anywhere, but log connection
     establishment packets (SYN-packets) for the connection

My problem is that I can''t find how to define a rule to log only 
SYN-packets of protocol: I''m really not interested about allowed 
traffic when the connection is established, but I''d like to get a
notify with fwlogwatch reports about connection attempts to, for 
example, my SSH-server.

Using plain iptables I can do this easily, but how do I define the
rules with shorewall scripts?

-- 
       /"\                           |    Ilkka Tuohela / Nixu Oy
       \ /     ASCII Ribbon Campaign |    ilkka.tuohela@nixu.com
        X      Against HTML Mail     |    +358-40-5233174 
       / \

On Mon, 1 Jul 2002, Ilkka Tuohela wrote:
>
> I have a perferctly working shorewall system, with basic configuration
> (external real IP, one private address internal network with some
> forwarded services), and log handling with fwlogwatch.
>
> My problem is that I can''t find out how to make something like
this
> with shorewall (TCP-connections only):
>    - Allow protocol x connections from IP x.x.x.x without logging
>    - Allow protocol x connections from anywhere, but log connection
>      establishment packets (SYN-packets) for the connection
>
> My problem is that I can''t find how to define a rule to log only
> SYN-packets of protocol: I''m really not interested about allowed
> traffic when the connection is established, but I''d like to get a
> notify with fwlogwatch reports about connection attempts to, for
> example, my SSH-server.
>
> Using plain iptables I can do this easily, but how do I define the
> rules with shorewall scripts?
>
Any entry in the rules file only affects connection requests -- for TCP,
that means a SYN packet (ok -- there are cases where non-syn packets are
subjected to rules but those occur if you reboot your firewall which
shouldn''t occur that often).

So just follow the instructions for the rules file and Shorewall will do
what you want.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On ke, 03 heinä  2002, Tom Eastep wrote:
> On Mon, 1 Jul 2002, Ilkka Tuohela wrote:
> 
> >
> > I have a perferctly working shorewall system, with basic configuration
> > (external real IP, one private address internal network with some
> > forwarded services), and log handling with fwlogwatch.
> >
> > My problem is that I can''t find out how to make something
like this
> > with shorewall (TCP-connections only):
> >    - Allow protocol x connections from IP x.x.x.x without logging
> >    - Allow protocol x connections from anywhere, but log connection
> >      establishment packets (SYN-packets) for the connection
> >
> > My problem is that I can''t find how to define a rule to log
only
> > SYN-packets of protocol: I''m really not interested about
allowed
> > traffic when the connection is established, but I''d like to
get a
> > notify with fwlogwatch reports about connection attempts to, for
> > example, my SSH-server.
> >
> > Using plain iptables I can do this easily, but how do I define the
> > rules with shorewall scripts?
> >
> 
> Any entry in the rules file only affects connection requests -- for TCP,
> that means a SYN packet (ok -- there are cases where non-syn packets are
> subjected to rules but those occur if you reboot your firewall which
> shouldn''t occur that often).
Ah, ok, I got this situation then, after running shorewall restart I
had all my ssh packets logged, for example... can''t reproduce the
problem
anymore.

Thanks, 

    *hile*

-- 
       /"\                           |    Ilkka Tuohela / Nixu Oy
       \ /     ASCII Ribbon Campaign |    ilkka.tuohela@nixu.com
        X      Against HTML Mail     |    +358-40-5233174 
       / \

Ilkka Tuohela wrote:
> I have a perferctly working shorewall system, with basic configuration
> (external real IP, one private address internal network with some
> forwarded services), and log handling with fwlogwatch.
>
> My problem is that I can''t find out how to make something like
this
> with shorewall (TCP-connections only):
>    - Allow protocol x connections from IP x.x.x.x without logging
>    - Allow protocol x connections from anywhere, but log connection
>      establishment packets (SYN-packets) for the connection
>
> My problem is that I can''t find how to define a rule to log only
> SYN-packets of protocol: I''m really not interested about allowed
> traffic when the connection is established, but I''d like to get a
> notify with fwlogwatch reports about connection attempts to, for
> example, my SSH-server.
>
> Using plain iptables I can do this easily, but how do I define the
> rules with shorewall scripts?
Hi Ikka,

I''m not sure if this question was answered previously, but unless
you''ve
changed something, shorewall will always allow packets that are part of
an existing connection.  That means that the only things you should ever
see in your logs for TCP connections are SYN packets, or packets that are
not part of a valid connection.  I can''t recall ever having seen a
non-SYN TCP packet in my logs.  I guess now that stateful firewalls are
so common, not too many people bother trying to fool the TCP stack
anymore.

Paul
http://paulgear.webhop.net