I didn''t see this in the FAQ or this month''s mailing list
entries:
I''m setting up Shorewall 2.0.1 under Mandrake 10. I''m
starting with
this in the rules file:
AllowPing:debug all all
AllowSSH:debug all all
AllowWeb:info all all
AllowFTP:info all all
AllowTrcrt:info all all
AllowNTP:info all all
I found that packets are being logged once for *every* rule up to the
one in which they are finally accepted. The following seven log entries
are all generated from *one* incoming packet, passing by (but not being
accepted by) all the above rules:
Jul 15 02:56:58 dragon2 kernel: Shorewall:loc2fw:AllowPing:IN=eth2
OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:5a:47:ae:97:08:00 SRC=192.168.0.202
DST=192.168.0.255 LEN=92 TOS=0x00 PREC=0x00 TTL=30 ID=17298 PROTO=UDP
SPT=127 DPT=125 LEN=72
Jul 15 02:56:58 dragon2 kernel: Shorewall:loc2fw:AllowSSH:IN=eth2 OUT
MAC=ff:ff:ff:ff:ff:ff:08:00:5a:47:ae:97:08:00 SRC=192.168.0.202
DST=192.168.0.255 LEN=92 TOS=0x00 PREC=0x00 TTL=30 ID=17298 PROTO=UDP
SPT=127 DPT=125 LEN=72
Jul 15 02:56:58 dragon2 kernel: Shorewall:loc2fw:AllowWeb:IN=eth2 OUT
MAC=ff:ff:ff:ff:ff:ff:08:00:5a:47:ae:97:08:00 SRC=192.168.0.202
DST=192.168.0.255 LEN=92 TOS=0x00 PREC=0x00 TTL=30 ID=17298 PROTO=UDP
SPT=127 DPT=125 LEN=72
Jul 15 02:56:58 dragon2 kernel: Shorewall:loc2fw:AllowFTP:IN=eth2 OUT
MAC=ff:ff:ff:ff:ff:ff:08:00:5a:47:ae:97:08:00 SRC=192.168.0.202
DST=192.168.0.255 LEN=92 TOS=0x00 PREC=0x00 TTL=30 ID=17298 PROTO=UDP
SPT=127 DPT=125 LEN=72
Jul 15 02:56:58 dragon2 kernel: Shorewall:loc2fw:AllowTrcrt:IN=eth2
OUT= MAC=ff:ff:ff:ff:ff:ff:08:00:5a:47:ae:97:08:00 SRC=192.168.0.202
DST=192.168.0.255 LEN=92 TOS=0x00 PREC=0x00 TTL=30 ID=17298 PROTO=UDP
SPT=127 DPT=125 LEN=72
Jul 15 02:56:58 dragon2 kernel: Shorewall:loc2fw:AllowNTP:IN=eth2 OUT
MAC=ff:ff:ff:ff:ff:ff:08:00:5a:47:ae:97:08:00 SRC=192.168.0.202
DST=192.168.0.255 LEN=92 TOS=0x00 PREC=0x00 TTL=30 ID=17298 PROTO=UDP
SPT=127 DPT=125 LEN=72
Jul 15 02:56:58 dragon2 kernel: Shorewall:loc2all:ACCEPT:IN=eth2 OUT
MAC=ff:ff:ff:ff:ff:ff:08:00:5a:47:ae:97:08:00 SRC=192.168.0.202
DST=192.168.0.255 LEN=92 TOS=0x00 PREC=0x00 TTL=30 ID=17298 PROTO=UDP
SPT=127 DPT=125 LEN=72
I don''t find it very useful to log every rule that the packet passes by
on its way to final acceptance. I had expected the logging to log the
packet only if it was actually *accepted* by the rule. The rules file says:
# The ACTION may optionally be followed
# by ":" and a syslog log level (e.g,
REJECT:info or
# DNAT:debug). This causes the packet to be
# logged at the specified level.
While that documentation is sufficiently general to permit the current
behaviour (log the packet even if it isn''t actually accepted by the
user-defined rule), I don''t see how the current behaviour can be
useful.
Am I missing something? Point me, enlighten me ...
--
-IAN! Ian! D. Allen Ottawa, Ontario, Canada
EMail: idallen@idallen.ca WWW: http://www.idallen.com/
College professor via: http://teaching.idallen.com/
Support free and open public digital rights: http://eff.org/
On Thu, 2004-07-15 at 15:15, Ian! D. Allen wrote:> I didn''t see this in the FAQ or this month''s mailing list entries: > > I''m setting up Shorewall 2.0.1 under Mandrake 10. I''m starting with > this in the rules file: > > AllowPing:debug all all > AllowSSH:debug all all > AllowWeb:info all all > AllowFTP:info all all > AllowTrcrt:info all all > AllowNTP:info all all > > I found that packets are being logged once for *every* rule up to the > one in which they are finally accepted. The following seven log entries > are all generated from *one* incoming packet, passing by (but not being > accepted by) all the above rules:Yes, and that behavior is documented in http://shorewall.net/shorewall_logging.html See "How to Log Traffic Through a Shorewall Firewall" item 4. -- "I think the problem, to be quite honest with you, is that you''ve never actually known what the question is." --The computer "Deep Thought" in "Life, The Universe and Everything"
On Thu, 2004-07-15 at 15:52, Ed Greshko wrote:> On Thu, 2004-07-15 at 15:15, Ian! D. Allen wrote: > > I didn''t see this in the FAQ or this month''s mailing list entries: > > > > I''m setting up Shorewall 2.0.1 under Mandrake 10. I''m starting with > > this in the rules file: > > > > AllowPing:debug all all > > AllowSSH:debug all all > > AllowWeb:info all all > > AllowFTP:info all all > > AllowTrcrt:info all all > > AllowNTP:info all all > > > > I found that packets are being logged once for *every* rule up to the > > one in which they are finally accepted. The following seven log entries > > are all generated from *one* incoming packet, passing by (but not being > > accepted by) all the above rules: > > Yes, and that behavior is documented in > http://shorewall.net/shorewall_logging.html > > See "How to Log Traffic Through a Shorewall Firewall" item 4.Sorry, I think I mis-read your question..... -- "I think the problem, to be quite honest with you, is that you''ve never actually known what the question is." --The computer "Deep Thought" in "Life, The Universe and Everything"
Ian! D. Allen wrote:> > While that documentation is sufficiently general to permit the current > behaviour (log the packet even if it isn''t actually accepted by the > user-defined rule), I don''t see how the current behaviour can be useful. >Then don''t use it. User-defined actions are like functions rather than macros. They are compiled once and jumped to when invoked. Unfortunately, iptables lacks any ability to pass arguments to chains (other than packets) so the chain can''t alter its behavior (to log, for example) based on how it was invoked.> Am I missing something? Point me, enlighten me ... >If you want individual rules within an action to be logged then you need to modify the action itself to do the logging internally. Simply copy the action.xxx file from /usr/share/shorewall to /etc/shorewall and modify the copy. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, Jul 15, 2004 at 06:53:13AM -0700, Tom Eastep wrote:> Ian! D. Allen wrote: > >I don''t see how the current behaviour can be useful. > Then don''t use it.I''d rather help you improve this feature so that the logging *is* useful. If the current logging mechanism is actually useful for someone and I missed the point on how to use it, correct me. If it truly isn''t useful, let''s make it useful.> If you want individual rules within an action to be logged then you need > to modify the action itself to do the logging internally. Simply copy > the action.xxx file from /usr/share/shorewall to /etc/shorewall and > modify the copy.Yes, I can do that; but, then I lose out on using your debugged and pre-defined actions. At the limit, I give up using shorewall altogether because I''ve rewritten it all. I desperately want to stand on the shoulders of others, not build and maintain my own shoulders. If I''m right about the current logging mechanism being somewhat unhelpful, can we fix shorewall to do the "right" thing here?> User-defined actions are like functions rather than macros. They are > compiled once and jumped to when invoked. Unfortunately, iptables > lacks any ability to pass arguments to chains (other than packets) > so the chain can''t alter its behavior (to log, for example) based on > how it was invoked.Can we not have shorewall do the work for us? I haven''t looked at the internals of how shorewall works; so, maybe what I''m thinking of here just isn''t possible. Let me give an example (you can probably make this much more efficient since you know the internals): When a user specifies logging with an action, e.g. AllowDNS:info, have shorewall create a chain with an appropriate name, e.g. AllowDNS-log-info, and then pre-process the existing action.AllowDNS file into a new hidden, temporary file (e.g. action.AllowDNS-log-info) containing rules that include the "info" logging on each line (e.g. change all the "ACCEPT" to "ACCEPT:info"), then have shorewall process that temp file to make the new chain, then delete the temp file. I just want shorewall to use your already-debugged rules and do what I would do and save me the bother. Am I making sense? -- -IAN! Ian! D. Allen Ottawa, Ontario, Canada EMail: idallen@idallen.ca WWW: http://www.idallen.com/ College professor via: http://teaching.idallen.com/ Support free and open public digital rights: http://eff.org/
Ian! D. Allen wrote:> >>User-defined actions are like functions rather than macros. They are >>compiled once and jumped to when invoked. Unfortunately, iptables >>lacks any ability to pass arguments to chains (other than packets) >>so the chain can''t alter its behavior (to log, for example) based on >>how it was invoked. > > > Can we not have shorewall do the work for us? >We could have but that''s not the way that it currently works. I''ll consider a change for 2.1. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Ian! D. Allen wrote: > >> >>> User-defined actions are like functions rather than macros. They are >>> compiled once and jumped to when invoked. Unfortunately, iptables >>> lacks any ability to pass arguments to chains (other than packets) >>> so the chain can''t alter its behavior (to log, for example) based on >>> how it was invoked. >> >> >> >> Can we not have shorewall do the work for us? > > > We could have but that''s not the way that it currently works. I''ll > consider a change for 2.1. >And if you wish to discuss this further, please take it onto the Development List (shorewall-devel@lists.shorewall.net). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net