Gilson Soares
2002-Apr-25 14:19 UTC
[Shorewall-users] Troubleshooting multiples zones traffic
I''d like to share a simple way of troubleshooting my recent Shorewall installation. I replaced a messy ipchains fw with hundreds rules. The messy was due we have a lot of subnets "zones", ports, incoming, outgoing, etc to allow/deny, to do not disturb all apps and peace we have. I gave up trying to understand the previ I gave up to convert it to shorewall and decided to send to ipchains rules to trash and start from scratch. With shorewall, in a matter of half day, everything was ok. To face this situation I created all possible combinations between them. Imagine the possible traffic between FW, DMZ, ADM, TI, FIN, NET, ALL, etc. I created the POLICY file with dozens lines like: fw adm REJECT info adm fw REJECT info fw fin REJECT info ... etc Afterwards, in the RULES file, I setup the common traffic (www , pop, smtp, https and few others) to ACCEPT. After that I just sit down and keep watching the log messages: -It shows me the exactly from/to zone (fin2adm), source ip (I know which machine/user) and destination port (DPT=???). I could "tail -f /var/log/messages|grep <user-ip>". It was a piece of cake to fine tunning the rules file. Imagine having a feature like: "shorewall [troubleshoot] start". In this case, all zone combinations will be generated on-the-fly as a POLICY REJECT INFO. Any other ideas about troubleshooting complex networks ? Cheers -Gilson
Tom Eastep
2002-Apr-25 14:33 UTC
[Shorewall-users] Troubleshooting multiples zones traffic
Gibson, Thanks for sharing your experience with us. On Thu, 25 Apr 2002, Gilson Soares wrote:> > Imagine having a feature like: "shorewall [troubleshoot] start". > In this case, all zone combinations will be generated on-the-fly as a > POLICY REJECT INFO. >In the mean time, you can copy your policy file to another directory and modify that copy in the way you suggest. You can then "shorewall -d <directory containing modified policy> restart when you want to troubleshoot. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net