I want to use fprobe-ulog (http://fprobe.sourceforge.net/) to generate NetFlow information about traffic going through my router. The question is how to get the logging rules added to the appropriate chains (I''m assuming eth2_in and eth2_out in my case)? I''m using the perl version of shorewall 4.0.6. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On Thu, Jan 10, 2008 at 12:39:43PM -0700, Orion Poplawski wrote:> I want to use fprobe-ulog (http://fprobe.sourceforge.net/) to generate > NetFlow information about traffic going through my router. The question > is how to get the logging rules added to the appropriate chains (I''m > assuming eth2_in and eth2_out in my case)? I''m using the perl version > of shorewall 4.0.6.http://www.shorewall.net/shorewall_logging.html#ULOG ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew Suffield wrote:> On Thu, Jan 10, 2008 at 12:39:43PM -0700, Orion Poplawski wrote: >> I want to use fprobe-ulog (http://fprobe.sourceforge.net/) to generate >> NetFlow information about traffic going through my router. The question >> is how to get the logging rules added to the appropriate chains (I''m >> assuming eth2_in and eth2_out in my case)? I''m using the perl version >> of shorewall 4.0.6. > > http://www.shorewall.net/shorewall_logging.html#ULOG >Yes, but short of appending ":ULOG" to all of my rules, I don''t see how I can log every packet going in and out of the ISP interface to ULOG. By default shorewall is configured to log rejected and dropped traffic, not accepted traffic. I guess I could do: loc net ACCEPT ULOG in my policy file for outgoing traffic. But what about incoming? Thanks. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On Thu, Jan 10, 2008 at 01:20:39PM -0700, Orion Poplawski wrote:> Andrew Suffield wrote: > > On Thu, Jan 10, 2008 at 12:39:43PM -0700, Orion Poplawski wrote: > >> I want to use fprobe-ulog (http://fprobe.sourceforge.net/) to generate > >> NetFlow information about traffic going through my router. The question > >> is how to get the logging rules added to the appropriate chains (I''m > >> assuming eth2_in and eth2_out in my case)? I''m using the perl version > >> of shorewall 4.0.6. > > > > http://www.shorewall.net/shorewall_logging.html#ULOG > > > > Yes, but short of appending ":ULOG" to all of my rules, I don''t see how > I can log every packet going in and out of the ISP interface to ULOG. > By default shorewall is configured to log rejected and dropped traffic, > not accepted traffic. > > I guess I could do: > > loc net ACCEPT ULOG > > in my policy file for outgoing traffic. But what about incoming?ACTION %Gâ%@ {ACCEPT[+|!]|NONAT|DROP[!]|REJECT[!]|DNAT[-]|SAME[-]|REDI$B!>(B RECT[-]|CONTINUE[!]|LOG|QUEUE[!]|NFQUEUE[/queuenumber]|COMMENT|ac$B!>(B tion|macro[/target]}[:{log-level|none}[!][:tag]] Specifies the action to be taken if the connection request matches the rule. Must be one of the following. ACCEPT Allow the connection request. ACCEPT+ like ACCEPT but also excludes the connection from any subsequent matching DNAT[-] or REDIRECT[-] rules [...] LOG Simply log the packet and continue with the next rule. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew Suffield wrote:> On Thu, Jan 10, 2008 at 01:20:39PM -0700, Orion Poplawski wrote: >> Andrew Suffield wrote: >>> On Thu, Jan 10, 2008 at 12:39:43PM -0700, Orion Poplawski wrote: >>>> I want to use fprobe-ulog (http://fprobe.sourceforge.net/) to generate >>>> NetFlow information about traffic going through my router. The question >>>> is how to get the logging rules added to the appropriate chains (I''m >>>> assuming eth2_in and eth2_out in my case)? I''m using the perl version >>>> of shorewall 4.0.6. >>> http://www.shorewall.net/shorewall_logging.html#ULOG >>> >> Yes, but short of appending ":ULOG" to all of my rules, I don''t see how >> I can log every packet going in and out of the ISP interface to ULOG. >> By default shorewall is configured to log rejected and dropped traffic, >> not accepted traffic. >> >> I guess I could do: >> >> loc net ACCEPT ULOG >> >> in my policy file for outgoing traffic. But what about incoming? > > ACTION %G—%@ {ACCEPT[+|!]|NONAT|DROP[!]|REJECT[!]|DNAT[-]|SAME[-]|REDI$B!>(B > RECT[-]|CONTINUE[!]|LOG|QUEUE[!]|NFQUEUE[/queuenumber]|COMMENT|ac$B!>(B > tion|macro[/target]}[:{log-level|none}[!][:tag]] > Specifies the action to be taken if the connection request > matches the rule. Must be one of the following. > > ACCEPT Allow the connection request. > > ACCEPT+ > like ACCEPT but also excludes the connection from any > subsequent matching DNAT[-] or REDIRECT[-] rules > > [...] > > LOG Simply log the packet and continue with the next rule.And be sure to put the appropriate log rules in all three sections of the rules file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep wrote:> Andrew Suffield wrote: >> [...] >> >> LOG Simply log the packet and continue with the next rule. > > And be sure to put the appropriate log rules in all three sections of the > rules file.Okay, this is what I''ve got: SECTION ESTABLISHED # NetFlow logging LOG:ULOG all net LOG:ULOG net all SECTION RELATED # NetFlow logging LOG:ULOG all net LOG:ULOG net all SECTION NEW # NetFlow logging LOG:ULOG all net LOG:ULOG net all <all of my accept rules follow> and it seems to be working. Thanks! -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace