Greetings; My syslog is getting 100s of thousands of messages like the following (these are just a sample); (BTW I am running Debian/lenny)> May 11 12:41:31 gatekeeper kernel: BANDWIDTH_IN:IN=eth1 OUT=eth0 SRC=192.168.0.4 DST=64.15.118.171 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=37901 DF PROTO=TCP SPT=1307 DPT=80 WINDOW=17640 RES=0x00 ACK URGP=0 > May 11 12:41:31 gatekeeper kernel: BANDWIDTH_IN:IN=eth1 OUT=eth0 SRC=192.168.0.4 DST=64.15.118.171 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=37902 DF PROTO=TCP SPT=1307 DPT=80 WINDOW=17640 RES=0x00 ACK URGP=0 > May 11 12:41:31 gatekeeper kernel: BANDWIDTH_IN:IN=eth1 OUT=eth0 SRC=192.168.0.4 DST=64.15.118.171 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=37903 DF PROTO=TCP SPT=1307 DPT=80 WINDOW=17640 RES=0x00 ACK URGP=0 > May 11 12:41:31 gatekeeper kernel: BANDWIDTH_OUT:IN=eth0 OUT=eth1 SRC=204.2.145.29 DST=192.168.31.1 LEN=1500 TOS=0x00 PREC=0x00 TTL=118 ID=2300 DF PROTO=TCP SPT=80 DPT=4697 WINDOW=32552 RES=0x00 ACK URGP=0I think I have traced the "cause" of them to the file /etc/shorewall/start which contains the following four records;> run_iptables -I INPUT -i eth1 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug > run_iptables -I FORWARD -i eth1 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug > run_iptables -I FORWARD -o eth1 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug > run_iptables -I OUTPUT -o eth1 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debugBut, I am not sure these are what is causeing the records tobe logged, and I can''t figure out how to change them to stop the logging but keep the firewall operational. Can anybody give me an assist? Thanks, Dennis ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Hello, I saw that when activating bandwith monitoring in Webmin... You can safely remove these lines and restart Shorewall. But the better way would be to clean up Webmin. Best regards; Jerome Blion. Dennis Wicks a écrit :> Greetings; > > My syslog is getting 100s of thousands of messages like > the following (these are just a sample); (BTW I am > running Debian/lenny) > > >> May 11 12:41:31 gatekeeper kernel: BANDWIDTH_IN:IN=eth1 OUT=eth0 SRC=192.168.0.4 DST=64.15.118.171 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=37901 DF PROTO=TCP SPT=1307 DPT=80 WINDOW=17640 RES=0x00 ACK URGP=0 >> May 11 12:41:31 gatekeeper kernel: BANDWIDTH_IN:IN=eth1 OUT=eth0 SRC=192.168.0.4 DST=64.15.118.171 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=37902 DF PROTO=TCP SPT=1307 DPT=80 WINDOW=17640 RES=0x00 ACK URGP=0 >> May 11 12:41:31 gatekeeper kernel: BANDWIDTH_IN:IN=eth1 OUT=eth0 SRC=192.168.0.4 DST=64.15.118.171 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=37903 DF PROTO=TCP SPT=1307 DPT=80 WINDOW=17640 RES=0x00 ACK URGP=0 >> May 11 12:41:31 gatekeeper kernel: BANDWIDTH_OUT:IN=eth0 OUT=eth1 SRC=204.2.145.29 DST=192.168.31.1 LEN=1500 TOS=0x00 PREC=0x00 TTL=118 ID=2300 DF PROTO=TCP SPT=80 DPT=4697 WINDOW=32552 RES=0x00 ACK URGP=0 >> > > I think I have traced the "cause" of them to the file > /etc/shorewall/start which contains the following four > records; > > >> run_iptables -I INPUT -i eth1 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug >> run_iptables -I FORWARD -i eth1 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug >> run_iptables -I FORWARD -o eth1 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug >> run_iptables -I OUTPUT -o eth1 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug >> > > But, I am not sure these are what is causeing the > records tobe logged, and I can''t figure out how to > change them to stop the logging but keep the firewall > operational. > > Can anybody give me an assist? > > Thanks, > Dennis > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Jérôme Blion wrote the following on 05/11/2008 02:00 PM:> Hello, > > I saw that when activating bandwith monitoring in Webmin... > You can safely remove these lines and restart Shorewall. > But the better way would be to clean up Webmin. > > Best regards; > Jerome Blion. >Jerome, Thanks for the info! That was the fix, although webmin wouldn''t undo those particular statements. I could add more monitoring statements and remove them by stopping monitoring with webmin but I had remove the original ones by hand. They must have been generated by some other process and webmin didn''t even know about them. Just my guess! Again, thanks! I always like to have confirmation that I can just blow something away without screwing up the whole system! Regards, Dennis ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Dennis Wicks wrote:> That was the fix, although webmin > wouldn''t undo those particular statements. I could add > more monitoring statements and remove them by stopping > monitoring with webmin but I had remove the original > ones by hand. They must have been generated by some > other process and webmin didn''t even know about them. > Just my guess!They were added by the ill-conceived Webmin module. At the very least, the module should add its rules with the ULOG target; attempting to log all IPv4 traffic by syslog[-ng] (LOG target) is criminally stupid. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Hello Tom! I found several stranges (bugs) in Shorewall-4.1.6 shaping. 1. in file ''tcclasses'' i can use ''tcp-ack'' or ''tos-'' options with CLASSES but not with MARKS, f.e.: eth0:21 - 250kbit full 9 tcp-ack,tos-minimize-delay # run OK eth0 21 250kbit full 9 tcp-ack,tos-minimize-delay # FAIL 2. in ''http://shorewall.net/traffic_shaping.htm'' you wrote: "the MARK value of the class preceded by the number "1" (MARK value 1 is <minor> class 11, MARK value 22 is <minor> class 122, and so on)" And you use this (preceded by the number "1") value for ''tc filter'' command also but not for ''iptables'' where you use MARK value without "1" preceded. In result packets marked by ''iptables'' don''t selected by ''tc filter''. Of course may be i don''t understand something. Thank you very much, Alex ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
alex wrote:> Hello Tom! > I found several stranges (bugs) in Shorewall-4.1.6 shaping.Hello Alex, The current development version is 4.1.8.> > 1. in file ''tcclasses'' i can use ''tcp-ack'' or ''tos-'' options with > CLASSES but not with MARKS, f.e.: > > eth0:21 - 250kbit full 9 tcp-ack,tos-minimize-delay # run OK > > eth0 21 250kbit full 9 tcp-ack,tos-minimize-delay # FAILHow does it fail? I just ran a test here and 4.1.8 seems to compile the second line correctly.> > 2. in ''http://shorewall.net/traffic_shaping.htm'' you wrote: > "the MARK value of the class preceded by the number "1" > (MARK value 1 is <minor> class 11, MARK value 22 is <minor> > class 122, and so on)" > And you use this (preceded by the number "1") value for ''tc filter'' > command also but not for ''iptables'' where you use MARK value without > "1" preceded. In result packets marked by ''iptables'' don''t selected > by ''tc filter''.That''s correct -- Shorewall doesn''t go around changing your tcrules behind your back. Yout must specify the correct classifier in /etc/shorewall/tcrules yourself (you must add the ''1''). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> Hello Tom! >> I found several stranges (bugs) in Shorewall-4.1.6 shaping. > > Hello Alex, > > The current development version is 4.1.8. > >> >> 1. in file ''tcclasses'' i can use ''tcp-ack'' or ''tos-'' options with >> CLASSES but not with MARKS, f.e.: >> >> eth0:21 - 250kbit full 9 tcp-ack,tos-minimize-delay # run >>OK >> >> eth0 21 250kbit full 9 tcp-ack,tos-minimize-delay # FAIL > > How does it fail? I just ran a test here and 4.1.8 seems to compile > the second line correctly.Where i can get it? I don''t found any newer on ''http://www1.shorewall.net/pub/shorewall/development/staging/4.1/''.>> 2. in ''http://shorewall.net/traffic_shaping.htm'' you wrote: >> "the MARK value of the class preceded by the number "1" >> (MARK value 1 is <minor> class 11, MARK value 22 is <minor> >> class 122, and so on)" >> And you use this (preceded by the number "1") value for ''tc filter'' >> command also but not for ''iptables'' where you use MARK value without >> "1" preceded. In result packets marked by ''iptables'' don''t selected >> by ''tc filter''. > > That''s correct -- Shorewall doesn''t go around changing your tcrules > behind your back. Yout must specify the correct classifier in > /etc/shorewall/tcrules yourself (you must add the ''1'').Ok, i will test but i think it MUST be noted in ''http://shorewall.net/traffic_shaping.htm''. Alex ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
alex wrote:> > Where i can get it? I don''t found any newer on > ''http://www1.shorewall.net/pub/shorewall/development/staging/4.1/''. >http://www.shorewall.net/pub/shorewall/development/4.1/ -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> >> 2. in ''http://shorewall.net/traffic_shaping.htm'' you wrote: >> "the MARK value of the class preceded by the number "1" >> (MARK value 1 is <minor> class 11, MARK value 22 is <minor> >> class 122, and so on)" >> And you use this (preceded by the number "1") value for ''tc filter'' >> command also but not for ''iptables'' where you use MARK value without >> "1" preceded. In result packets marked by ''iptables'' don''t selected >> by ''tc filter''. > > That''s correct -- Shorewall doesn''t go around changing your tcrules > behind your back. Yout must specify the correct classifier in > /etc/shorewall/tcrules yourself (you must add the ''1'').But Shorewall go around changing our tcclasses behind our back! And you describe this fact and nothing happend. I think if MARK value placed in two files you must make identical things for both. Or you can generate class ID based on MARK (preceded the number "1") but don''t touch MARK value for ''tc filter''. Why not? Alex ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
alex wrote:> But Shorewall go around changing our tcclasses behind our back! > And you describe this fact and nothing happend. > I think if MARK value placed in two files you must make identical > things for both. Or you can generate class ID based on MARK (preceded > the number "1") but don''t touch MARK value for ''tc filter''. > Why not?I misunderstood what you were saying. There IS a bug in the way that Shorewall is generating tc filters when marks are specified. I''ll fix it when I have the time. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> 1. in file ''tcclasses'' i can use ''tcp-ack'' or ''tos-'' options with >> CLASSES but not with MARKS, f.e.: >> >> eth0:21 - 250kbit full 9 tcp-ack,tos-minimize-delay # run >>OK >> >> eth0 21 250kbit full 9 tcp-ack,tos-minimize-delay # FAIL > > How does it fail? I just ran a test here and 4.1.8 seems to compile > the second line correctly.Yes, with 4.1.8 i haven''t such problem. Thank you very much! ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> But Shorewall go around changing our tcclasses behind our back! >> And you describe this fact and nothing happend. >> I think if MARK value placed in two files you must make identical >> things for both. Or you can generate class ID based on MARK (preceded >> the number "1") but don''t touch MARK value for ''tc filter''. >> Why not? > > I misunderstood what you were saying. There IS a bug in the way that >Shorewall is generating tc filters when marks are specified. I''ll fix it >when I have the time.Sorry, Tom. I don''t understand you. Ok, thank you very much again. I will be much obliged to you if you give me a sign when make this fix (now i changed my tcrules manually). Alex ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
alex wrote:> Ok, thank you very much again. > I will be much obliged to you if you give me a sign when make this fix > (now i changed my tcrules manually).Here''s a (very) lightly-tested patch. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> Ok, thank you very much again. >> I will be much obliged to you if you give me a sign when make this fix >> (now i changed my tcrules manually). > > Here's a (very) lightly-tested patch.OK, it works for me good. Thank you Tom! I think 4.2.0 will very advanced Shorewall release. Alex -------- Легковая, грузовая, строительная, карьерная техника – продажа, аренда. Ищем региональных представителей в странах СНГ. http://www.pogruzim.com Лучшие условия и цены. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users