Shorewall users - Aug 2003 - logging misterious problem

Hi shorewallers,

I''m currently running Linux kernel version 2.4.21 (vanilla flavour),
iptables-1.2.8 and shorewall-1.4.6. I work w/ shorewall since more than
one year... but even if I''m really happy w/ this excellent product, I
still have a problem :

I''m trying to log all packets which come to my firewall through the
INPUT chain and I never get anything :c( Logging on the forward chain
seems to be ok... :c((

This firewall has 5 interfaces :
eth1: local network
eth2: dmz
eth3: ipv6 network (shorewall is blocking all the traffic to this area,
       and I have setted my own ipv6 firewall... so that''s not the
matter
       here ;c)
ppp0: internet connection
ppp1: vpn

let''s take a look at my configuration :

/etc/shorewall/interfaces:
net     ppp0            xxx.xxx.xxx.xxx    norfc1918
loc     eth1            192.168.0.255
dmz     eth2            192.168.1.255
serv    eth3            192.168.2.255
dist    ppp1            192.168.10.255

/etc/shorewall/policy:
loc             net             ACCEPT
dmz             net             ACCEPT
fw              net             ACCEPT

serv            net             REJECT          debug
serv            loc             REJECT          debug
serv            dmz             REJECT          debug
serv            fw              REJECT          debug

dist            net             REJECT          info
dist            all             DROP            warning
fw              dist            ACCEPT
loc             dist            ACCEPT
all             dist            DROP            warning

net             all             DROP            warning
all             all             REJECT          info

/etc/shorewall/shorewall.conf:
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATELOGBURSTLOGUNCLEAN=info
BLACKLIST_LOGLEVEL=warning
LOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRFW=fw
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
TC_ENABLED=Yes
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=Yes
CLAMPMSS=No
ROUTE_FILTER=Yes
NAT_BEFORE_RULES=No
MULTIPORT=Yes
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=90
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

I don''t think that other config files are important for my problem...
anyone can see something strange in this ? possibly explaining why
forwarded packets can be load but not "input" ones (never tried
"ouput"
ones) ?

I hope all what I''ve

-- 
Baptiste SIMON
    aka BeTa
Administrateur syst?me GNU/Linux & Unix
3, avenue de la Calypso
44000 Nantes
06 75 79 28 48

On Tue, 2003-08-12 at 06:25, BeTa wrote:
> 
> I''m trying to log all packets which come to my firewall through
the
> INPUT chain and I never get anything :c( Logging on the forward chain
> seems to be ok... :c((
In general, Shorewall provides NO way to log *all* packets -- this is a
good thing since Netfilter logging is in no way meant to be used as an
IP traffic audit trail. The best that you can do is log new connections
(and hope that you don''t get ping flooded) and all connection requests
that are denied.

Given that, which connection requests are you trying to log that you are
not able to?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-08-12 at 09:02, BeTa wrote:
> > Looks like everything going to net2all is being swallowed up by the
> > ''common'' chain.
> 
> you''re right !! why haven''t I anticipate ? ;c)
> 
> > What does "shorewall show common" give you?
> 
> let''s see :
> 
It looks like there were no connection attempts that weren''t
dropped/rejected by the common chain then. I see no reason why attempts
that aren''t swallowed by the common chain should not be logged at the
bottom of the "net2all" chain where there is a logging rule at the
"warning" (4) level.

-Tom
--
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

so... where those rules (in the common chain) are set ? I have never set 
anything explicitly for that... and that''s probably why I
don''t get any
log from the INPUT chain. :c(

-- I''VE FOUND !!! --

   721 43248 DROP       all  --  *      *       0.0.0.0/0 
213.41.139.9

this line was problematic. But compared to the similar ones :

   721 43248 DROP       all  --  *      *       0.0.0.0/0 
213.41.139.9
     0     0 DROP       all  --  *      *       0.0.0.0/0 
192.168.0.255
     0     0 DROP       all  --  *      *       0.0.0.0/0 
192.168.1.255
     0     0 DROP       all  --  *      *       0.0.0.0/0 
192.168.2.255
     0     0 DROP       all  --  *      *       0.0.0.0/0 
192.168.10.255

it ring me a bell :
all that IP addresses could be considered as broadcast addresses... 
except the one I''m interesting in... 213.41.139.9

so I''ve asked myself : "where do the broadcasts can be setted
?" then
I''ve remembered the "/etc/shorewall/interfaces" file and its
broadcast
definitions... I had :

net     ppp0             213.41.139.9   norfc1918

instead of :

net     ppp0            -               norfc1918

Isn''t that beautiful ?? ;c)

Thanks a lot for your help (especially tom)

-- 
BeTa