Tom: At one point you mentioned that shorewall show connections was a thin wrapper around (IIRC) cat /proc/something/something. Could you refresh my memory... Also would be reasonable to add a modifier to that command so that one could do shorewall show connections remote and only list connections where one side was external (not the fw, or in the loc zone). I find this quite usefull to see what''s going on but its a nasty grep. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 .
John S. Andersen wrote:> Tom: > At one point you mentioned that > shorewall show connections > was a thin wrapper around (IIRC) cat /proc/something/something. > > Could you refresh my memory...Well, I''m sure you can look at /sbin/shorewall as easily as I can but: connections) [ $# -gt 2 ] && usage 1 echo "Shorewall-$version Connections at $HOSTNAME - $(date)" echo cat /proc/net/ip_conntrack ;;> > Also would be reasonable to add a modifier to that > command so that one could do > shorewall show connections remote > and only list connections where one side was > external (not the fw, or in the loc zone). >I''m not interested in doing that. Shorewall will never have any inbuilt concepts like local, remote, inside, outside, etc; especially tied to specific zone names.> I find this quite usefull to see what''s going on > but its a nasty grep.No more nasty for you than for me.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> John S. Andersen wrote:>> >> Also would be reasonable to add a modifier to that >> command so that one could do shorewall show connections remote >> and only list connections where one side was >> external (not the fw, or in the loc zone). >> > > I''m not interested in doing that. Shorewall will never have any inbuilt > concepts like local, remote, inside, outside, etc; especially tied to > specific zone names. >Acceptable syntax might be: shorewall show connections [ [ ! ] <zone> ... ] Example that corresponds to yours: shorewall show connections net but your comment about the nastiness of the grep is only the tip of the iceberg when it comes to the ugliness of trying to implement that feature... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 26 May 2004 at 16:32, Tom Eastep wrote:> Tom Eastep wrote: > > John S. Andersen wrote: > > >> > >> Also would be reasonable to add a modifier to that > >> command so that one could do shorewall show connectionsremote> >> and only list connections where one side was external (not thefw,> >> or in the loc zone). > >> > > > > I''m not interested in doing that. Shorewall will never have any > > inbuilt concepts like local, remote, inside, outside, etc; > > especially tied to specific zone names. > > > > Acceptable syntax might be: > > shorewall show connections [ [ ! ] <zone> ... ] > > Example that corresponds to yours: > > shorewall show connections net > > but your comment about the nastiness of the grep is only the tip of > the iceberg when it comes to the ugliness of trying to implementthat> feature... > > -TomMight be easier for me to "can" my grep and use it that way. Basically I''m usually interested in a few ports (which machine has worms trying to talk on dport=25, etc). -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/