Shorewall users - Jul 2010 - Re: Shorewall-users Digest, Vol 50, Issue 25

On 28/07/2010 15:45, shorewall-users-request@lists.sourceforge.net
wrote:
> On 7/28/10 1:50 AM, Andrea Perdicchia wrote:
>    
>> >  Hi all,
>> >  Is possible log mac address in shorewall?
>> >  I try all configuration "debug,info..." in
/etc/shorewall/shorewall.conf
>> >  but in /var/log/messages the log show only few information and
not mac
>> >  ADdress.
>>      
> Shorewall has no control over logging of the MAC address. Whatever
> option you are setting in shorewall.conf only control the facility and
> priority of a particular class of log message. That, in turn, determines
> how they get handled by your logging daemon (syslogd, syslog-ng,
> rsyslogd, etc.).
>
> When displayed by /sbin/shorewall, log messages generally have the MAC
> address stripped. You can cause MAC addresses (actually the entire
> Ethernet headers) to be displayed by using the -m option (e.g.,
> shorewall show -m log).
>    
In the shorewall man page says "The -m option causes the MAC address of 
each packet source to be displayed *if that information is available* "
But in my messages.log and kern.log (i use ubuntu server) the mac 
address information is not available. How i can enable it?


------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm

On 7/28/10 7:48 AM, Andrea Perdicchia wrote:
> On 28/07/2010 15:45, shorewall-users-request@lists.sourceforge.net wrote:
>> On 7/28/10 1:50 AM, Andrea Perdicchia wrote:
>>    
>>>>  Hi all,
>>>>  Is possible log mac address in shorewall?
>>>>  I try all configuration "debug,info..." in
/etc/shorewall/shorewall.conf
>>>>  but in /var/log/messages the log show only few information and
not mac
>>>>  ADdress.
>>>      
>> Shorewall has no control over logging of the MAC address. Whatever
>> option you are setting in shorewall.conf only control the facility and
>> priority of a particular class of log message. That, in turn,
determines
>> how they get handled by your logging daemon (syslogd, syslog-ng,
>> rsyslogd, etc.).
>>
>> When displayed by /sbin/shorewall, log messages generally have the MAC
>> address stripped. You can cause MAC addresses (actually the entire
>> Ethernet headers) to be displayed by using the -m option (e.g.,
>> shorewall show -m log).
>>    
> In the shorewall man page says "The -m option causes the MAC address
of
> each packet source to be displayed *if that information is available*
"
> But in my messages.log and kern.log (i use ubuntu server) the mac 
> address information is not available. How i can enable it?
Switch to ULOG (http://www.shorewall.net/shorewall_logging.html#ULOG).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm

On 7/28/10 8:07 AM, Tom Eastep wrote:
> On 7/28/10 7:48 AM, Andrea Perdicchia wrote:
>> In the shorewall man page says "The -m option causes the MAC
address of
>> each packet source to be displayed *if that information is available*
"
>> But in my messages.log and kern.log (i use ubuntu server) the mac 
>> address information is not available. How i can enable it?
> 
> Switch to ULOG (http://www.shorewall.net/shorewall_logging.html#ULOG).
Of course, the interface through which logged packets arrive must be
Ethernet; otherwise, there is no ethernet header. On my own firewall
(Lenny), both ULOG and LOG create log messages with the ethernet header
intact:

LOG:

[1187508.980495] net-all:DROP:IN=eth1
OUTMAC=00:a0:cc:db:31:c4:00:22:2d:76:5a:aa:08:00 SRC=61.168.222.222
DST=70.90.191.123 LEN=438 TOS=0x00 PREC=0x20 TTL=50 ID=33722 DF
PROTO=UDP SPT=5060 DPT=5060 LEN=418 MARK=0x10000

ULOG:

Jul 28 07:58:06 gateway net-all:DROP: IN=eth1
OUTMAC=00:a0:cc:db:31:c4:00:22:2d:76:5a:aa:08:00  SRC=82.140.218.30
DST=70.90.191.123 LEN=95 TOS=00 PREC=0x20 TTL=112 ID=24573 PROTO=UDP
SPT=61877 DPT=45947 LEN=75

Also, note that the sending MAC address (00:22:2d:76:5a:aa) is aways
that of the next-hop router and is usually not that interesting.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm

On 7/28/10 8:18 AM, Tom Eastep wrote:
> On 7/28/10 8:07 AM, Tom Eastep wrote:
>> On 7/28/10 7:48 AM, Andrea Perdicchia wrote:
>>> In the shorewall man page says "The -m option causes the MAC
address of
>>> each packet source to be displayed *if that information is
available* "
>>> But in my messages.log and kern.log (i use ubuntu server) the mac 
>>> address information is not available. How i can enable it?
>>
>> Switch to ULOG (http://www.shorewall.net/shorewall_logging.html#ULOG).
> 
> Of course, the interface through which logged packets arrive must be
> Ethernet; otherwise, there is no ethernet header. On my own firewall
> (Lenny), both ULOG and LOG create log messages with the ethernet header
> intact:
> 
> LOG:
> 
> [1187508.980495] net-all:DROP:IN=eth1 OUT>
MAC=00:a0:cc:db:31:c4:00:22:2d:76:5a:aa:08:00 SRC=61.168.222.222
> DST=70.90.191.123 LEN=438 TOS=0x00 PREC=0x20 TTL=50 ID=33722 DF
> PROTO=UDP SPT=5060 DPT=5060 LEN=418 MARK=0x10000
> 
> ULOG:
> 
> Jul 28 07:58:06 gateway net-all:DROP: IN=eth1 OUT>
MAC=00:a0:cc:db:31:c4:00:22:2d:76:5a:aa:08:00  SRC=82.140.218.30
> DST=70.90.191.123 LEN=95 TOS=00 PREC=0x20 TTL=112 ID=24573 PROTO=UDP
> SPT=61877 DPT=45947 LEN=75
> 
> Also, note that the sending MAC address (00:22:2d:76:5a:aa) is aways
> that of the next-hop router and is usually not that interesting.
I just read the ipt_LOG.c code and learned that the ethernet header
(MAC) is only included for INPUT packets (those where IN=xxx and
OUT=<empty>). So if a logged packet is being forwarded (IN= and OUT= are
both non-empty), then the log message will not include the ethernet
header. In my case, all but one usable address from my /29 are
configured on the firewall itself (I run Linux-vserver) so all logged
messages from the ''net'' zone are INPUT packets.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm

On 7/28/10 8:47 AM, Tom Eastep wrote:
> I just read the ipt_LOG.c code and learned that the ethernet header
> (MAC) is only included for INPUT packets (those where IN=xxx and
> OUT=<empty>). So if a logged packet is being forwarded (IN= and OUT=
are
> both non-empty), then the log message will not include the ethernet
> header. In my case, all but one usable address from my /29 are
> configured on the firewall itself (I run Linux-vserver) so all logged
> messages from the ''net'' zone are INPUT packets.
This is contrasted with ipt_ULOG.c which includes the ethernet header
when IN= is non-empty and there is a header associated with the packet.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm