Shorewall users - Sep 2011 - stop ack loging

Hi shorewall fans,

I''ve been using it for a years, but only now I stepped on the strange
problem:
the rule is
ACCEPT:info all fw tcp 22
Primitive, however I get logs for each packet and expectation is that
i get logs only for every incoming connection, syn packet.
I''ve been using Mandriva and I guess distribution has made some rules,
macros and this line was working as I expected, however now on Fedora
13 it just logs every packet.

Any ideas?

Liutauras

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Fri, 2011-09-02 at 13:10 +0300, Liutauras Adomaitis wrote:
> I''ve been using it for a years, but only now I stepped on the
strange problem:
> the rule is
> ACCEPT:info all fw tcp 22
> Primitive, however I get logs for each packet and expectation is that
> i get logs only for every incoming connection, syn packet.
> I''ve been using Mandriva and I guess distribution has made some
rules,
> macros and this line was working as I expected, however now on Fedora
> 13 it just logs every packet.
> 
> Any ideas?
Did you inadvertently place the rule in the ESTABLISHED section of the
rules file rather than in the NEW section?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Fri, Sep 2, 2011 at 4:00 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> On Fri, 2011-09-02 at 13:10 +0300, Liutauras Adomaitis wrote:
>
>> I''ve been using it for a years, but only now I stepped on the
strange problem:
>> the rule is
>> ACCEPT:info all fw tcp 22
>> Primitive, however I get logs for each packet and expectation is that
>> i get logs only for every incoming connection, syn packet.
>> I''ve been using Mandriva and I guess distribution has made
some rules,
>> macros and this line was working as I expected, however now on Fedora
>> 13 it just logs every packet.
>>
>> Any ideas?
>
> Did you inadvertently place the rule in the ESTABLISHED section of the
> rules file rather than in the NEW section?
>
> -Tom
> --
Just double checked - no. Here is my rules file:
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT  all     $FW     tcp     22      -       # SSH

Can this be related to the fact that I''m running virtual machine based
on OpenVZ. I just got it from my hosting provider. I am not familiar
with such type of virtualization. Can this be related?

I see other strange things - although I can access the box via ssh, I
cannot access internet from this virtual machine, even DNS not
working. using tcpdump I see udp packet leaving the box, and the
response coming back however it is droped silently somewhere.

My policy file:
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT  all     $FW     tcp     22      -       # SSH

My Interfaces file:
net     venet0          detect          dhcp,tcpflags,logmartians,nosmurfs

And zones:
fw      firewall
net     ipv4

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Fri, 2011-09-02 at 16:21 +0300, Liutauras Adomaitis
wrote:
> On Fri, Sep 2, 2011 at 4:00 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> > On Fri, 2011-09-02 at 13:10 +0300, Liutauras Adomaitis wrote:
> >
> >> I''ve been using it for a years, but only now I stepped on
the strange problem:
> >> the rule is
> >> ACCEPT:info all fw tcp 22
> >> Primitive, however I get logs for each packet and expectation is
that
> >> i get logs only for every incoming connection, syn packet.
> >> I''ve been using Mandriva and I guess distribution has
made some rules,
> >> macros and this line was working as I expected, however now on
Fedora
> >> 13 it just logs every packet.
> >>
> >> Any ideas?
> >
> > Did you inadvertently place the rule in the ESTABLISHED section of the
> > rules file rather than in the NEW section?
> >
> > -Tom
> > --
> 
> Just double checked - no. Here is my rules file:
> #SECTION ESTABLISHED
> #SECTION RELATED
> SECTION NEW
> ACCEPT  all     $FW     tcp     22      -       # SSH
> 
> Can this be related to the fact that I''m running virtual machine
based
> on OpenVZ. I just got it from my hosting provider. I am not familiar
> with such type of virtualization. Can this be related?
> 
Yes. Another user has reported that iptables/Netfilter is broken when
running in an OpenVZ container.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Fri, Sep 2, 2011 at 4:34 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> On Fri, 2011-09-02 at 16:21 +0300, Liutauras Adomaitis wrote:
>> On Fri, Sep 2, 2011 at 4:00 PM, Tom Eastep
<teastep@shorewall.net> wrote:
>> > On Fri, 2011-09-02 at 13:10 +0300, Liutauras Adomaitis wrote:
>> >
>> >> I''ve been using it for a years, but only now I
stepped on the strange problem:
>> >> the rule is
>> >> ACCEPT:info all fw tcp 22
>> >> Primitive, however I get logs for each packet and expectation
is that
>> >> i get logs only for every incoming connection, syn packet.
>> >> I''ve been using Mandriva and I guess distribution has
made some rules,
>> >> macros and this line was working as I expected, however now on
Fedora
>> >> 13 it just logs every packet.
>> >>
>> >> Any ideas?
>> >
>> > Did you inadvertently place the rule in the ESTABLISHED section of
the
>> > rules file rather than in the NEW section?
>> >
>> > -Tom
>> > --
>>
>> Just double checked - no. Here is my rules file:
>> #SECTION ESTABLISHED
>> #SECTION RELATED
>> SECTION NEW
>> ACCEPT  all     $FW     tcp     22      -       # SSH
>>
>> Can this be related to the fact that I''m running virtual
machine based
>> on OpenVZ. I just got it from my hosting provider. I am not familiar
>> with such type of virtualization. Can this be related?
>>
>
> Yes. Another user has reported that iptables/Netfilter is broken when
> running in an OpenVZ container.
>
> -Tom
> --
Any workarrounds?
It is interesting, since how can you run your server if you can''t
setup your firewall properly.

Liutauras

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Fri, 2011-09-02 at 16:44 +0300, Liutauras Adomaitis wrote:
> 
> Any workarrounds?
> It is interesting, since how can you run your server if you can''t
> setup your firewall properly.
> 
Not that I''m aware of. 

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

On Fri, 2011-09-02 at 06:53 -0700, Tom Eastep wrote:
> On Fri, 2011-09-02 at 16:44 +0300, Liutauras Adomaitis wrote:
> 
> > 
> > Any workarrounds?
> > It is interesting, since how can you run your server if you
can''t
> > setup your firewall properly.
> > 
> 
> Not that I''m aware of. 
There is a Debian bug report about the problem at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631234

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev