Niedermeier Günter wrote:> > Problem: > > The logging works fine, as long as packets are sent from WAN to INT. > > If I, for example, try to open a ssh session from INT to WAN it goes > via FW28 to the destination and also back via FW28 to the source. > But it may happen that answer packets come back to source via > FW10, depending on the current state of OSPF. > > Only in that case, there is no logging at FW10. That is my Problem. > > If I configure a explicit rule in rules for these packets, they are > logged pretty wellStateful firewall work oddly in cases of asymmetric routing. That is the nature of the beasts. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
> > Stateful firewall work oddly in cases of asymmetric routing. That is the > nature of the beasts.Well, that''s clear to me. But can you tell me in short the difference between logging in rules and logging in zones. In my case, asym. back routed packets are logged well in FW10 if I use a rule in rules which match the packets. But they are not logged if I only use a matching rule in zones. Filtering the packets on FW10 work well in both cases (zones or rules) but not the logging. Perhaps you say that packets - not marked as new - generally cannot be logged in zones but in rules would be an answer, but I''m not sure about that. -Guenter ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Niedermeier Günter wrote:>> >> Stateful firewall work oddly in cases of asymmetric routing. That is the >> nature of the beasts. > > Well, that''s clear to me. > > But can you tell me in short the difference between logging in rules and > logging in zones. > > In my case, asym. back routed packets are logged well in FW10 if I use > a rule in rules which match the packets. But they are not logged if > I only use a matching rule in zones. > Filtering the packets on FW10 work well in both cases (zones or rules) > but not the logging. > > Perhaps you say that packets - not marked as new - generally cannot > be logged in zones but in rules would be an answer, but I''m not sure > about that.Packets in the NEW and INVALID states are passed through the NEW section of the rules file. At the end of the NEW section, rules generated by entries in the /etc/shorewall/tunnels file are applied. Any remaining packets are then passed to the "default action" of the applicable policy. The default actions as released by shorewall.net are: POLICY ACTION ACCEPT - DROP Drop REJECT Reject QUEUE - NFQUEUE - So for DROP and REJECT policies, additional rules are applied. These rules are designed to avoid cluttering of the log and to ensure that critical packets are not dropped/rejected. See http://www.shorewall.net/Actions.html#Default for more information. Those packets which are not handled (silently) by the default action are then logged (if logging of the applicable policy is enabled) and then the policy rule itself is applied. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H