Is there a way to have Shorewall log MAC addresses for packets logged from the "rules" file? Right now the only time MAC addresses are being logged is when the logging comes from the "policy" file. The following rule is an example: ACCEPT:info loc net tcp 80 Thanks, Thomas Marschall ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thomas Marschall wrote:> Is there a way to have Shorewall log MAC addresses for packets logged > from the “rules” file? Right now the only time MAC addresses are being > logged is when the logging comes from the “policy” file. The following > rule is an example: > > > > ACCEPT:info loc net tcp 80Shorewall has no control over the logging of MAC addresses. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Is there a way then to get iptables/netfilter to do it? -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, December 21, 2006 3:14 PM To: Shorewall Users Subject: Re: [Shorewall-users] Logging MAC addresses Thomas Marschall wrote:> Is there a way to have Shorewall log MAC addresses for packets logged > from the "rules" file? Right now the only time MAC addresses arebeing> logged is when the logging comes from the "policy" file. Thefollowing> rule is an example: > > > > ACCEPT:info loc net tcp 80Shorewall has no control over the logging of MAC addresses. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thomas Marschall wrote:> Is there a way then to get iptables/netfilter to do it?No -- that''s what I mean by Shorewall having no control over it. In general, netfilter logs the MAC address out of the INPUT chain but doesn''t log it out of the FORWARD chain. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I''d like to write a custom rule to put in the output chain to match on certain devices and ports, then log matched packets. Any pointers on doing this? -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, December 21, 2006 3:22 PM To: Shorewall Users Subject: Re: [Shorewall-users] Logging MAC addresses Thomas Marschall wrote:> Is there a way then to get iptables/netfilter to do it?No -- that''s what I mean by Shorewall having no control over it. In general, netfilter logs the MAC address out of the INPUT chain but doesn''t log it out of the FORWARD chain. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thomas Marschall wrote:> I''d like to write a custom rule to put in the output chain to match on > certain devices and ports, then log matched packets. Any pointers on > doing this?You can do that with an action that has a companion extension script. Then invoke the action from the rules file with SOURCE=$FW and DEST=all. See http://www.shorewall.net/Actions#Extension -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
And one more question, since you didn''t specifically mention this before. Will iptables log MAC address for packets on the output chain? -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, December 21, 2006 3:32 PM To: Shorewall Users Subject: Re: [Shorewall-users] Logging MAC addresses Thomas Marschall wrote:> I''d like to write a custom rule to put in the output chain to match on > certain devices and ports, then log matched packets. Any pointers on > doing this?You can do that with an action that has a companion extension script. Then invoke the action from the rules file with SOURCE=$FW and DEST=all. See http://www.shorewall.net/Actions#Extension -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hmmm, that link didn''t work either.... "Not found" error. -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, December 21, 2006 3:32 PM To: Shorewall Users Subject: Re: [Shorewall-users] Logging MAC addresses Thomas Marschall wrote:> I''d like to write a custom rule to put in the output chain to match on > certain devices and ports, then log matched packets. Any pointers on > doing this?You can do that with an action that has a companion extension script. Then invoke the action from the rules file with SOURCE=$FW and DEST=all. See http://www.shorewall.net/Actions#Extension -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Thu, Dec 21, 2006 at 1:36pm Thomas Marschall <Thomas@CompSciTech.com> wrote:> And one more question, since you didn''t specifically mention this before. > Will iptables log MAC address for packets on the output chain?No. -Tom -- Tom Eastep \\ Nothing is foolproof to a sufficiently talented fool Shoreline, \\ http://shorewall.net Washington USA \\ teastep@avvanta.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Thu, Dec 21, 2006 at 1:38pm Thomas Marschall <Thomas@CompSciTech.com> wrote:> Hmmm, that link didn''t work either.... "Not found" error.s/b http://www.shorewall.net/Actions.html#Extension But it''s possible you don''t even need to use an action. What''s wrong with LOG:info $FW <whereever> tcp <port> LOG:info $FW <whereever> udp <port> ... -Tom -- Tom Eastep \\ Nothing is foolproof to a sufficiently talented fool Shoreline, \\ http://shorewall.net Washington USA \\ teastep@avvanta.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
That might work... This firewall is going to be a proxy server running squid. We will be forcing proxying so we will have this rule loaded: REDIRECT loc 8080 tcp 80,443 - I''m trying to make sure I understand how this works... will this rule put a matched packet onto the input chain so we can log its mac address? Without this rule a packet destined for the internet would otherwise just hit the forward chain correct? We will also have the proxy port open on 8080 for clients that are configured to use it. Web clients that have the proxy configured should send their packets in on the input chain correct? If so, then here is the next part: Will the maclist process before your suggested rule? We don''t want mac addresses we have already blocked clogging up our log files... -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of teastep Sent: Thursday, December 21, 2006 3:45 PM To: Shorewall Users; Shorewall Users Subject: Re: [Shorewall-users] Logging MAC addresses On Thu, Dec 21, 2006 at 1:38pm Thomas Marschall <Thomas@CompSciTech.com> wrote:> Hmmm, that link didn''t work either.... "Not found" error.s/b http://www.shorewall.net/Actions.html#Extension But it''s possible you don''t even need to use an action. What''s wrong with LOG:info $FW <whereever> tcp <port> LOG:info $FW <whereever> udp <port> ... -Tom -- Tom Eastep \\ Nothing is foolproof to a sufficiently talented fool Shoreline, \\ http://shorewall.net Washington USA \\ teastep@avvanta.com ------------------------------------------------------------------------ - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Thomas Marschall wrote:> That might work... This firewall is going to be a proxy server running > squid. We will be forcing proxying so we will have this rule loaded: > REDIRECT loc 8080 tcp 80,443 -You *cannot* transparently proxy HTTPS. If you could, then HTTPS (and SSL in fact) would be susceptible to "Man in the Middle" attacks.> I''m trying to make sure I understand how this works... will this rule > put a matched packet onto the input chain so we can log its mac address?Yes.> Without this rule a packet destined for the internet would otherwise > just hit the forward chain correct?Correct.> We will also have the proxy port open on 8080 for clients that are > configured to use it. Web clients that have the proxy configured should > send their packets in on the input chain correct?Correct.> If so, then here is > the next part: Will the maclist process before your suggested rule?I don''t understand the question -- the syntax appears to be garbled. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV