thr3ads.net - Shorewall users - "catch-all" in accounting not working [Jun 2013]

If this information is useful, please help other people find it:
Share via:

Brian J. Murrell

2013-Jun-02 13:50 UTC

"catch-all" in accounting not working

So, at the end of my long list of (old-style) accounting rules I have a
"catch-all":

acc_unknown - $CGCOIF br-lan:0.0.0.0/0
acc_unknown - br-lan:0.0.0.0/0 $CGCOIF
DONE	-	-		br-lan:0.0.0.0/0
DONE	-	br-lan:0.0.0.0/0
COUNT           acc_unknown   $CGCOIF    br-lan
COUNT           acc_unknown   br-lan    $CGCOIF

meant to account for anything that didn''t get accounted for above it.
The accounting rule above that are all working just fine, however this
catch-all doesn''t seem to get anything in it as you can see:

Chain acc_unknown (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  eth1   br-lan  0.0.0.0/0            0.0.0.0/0
    0     0            all  --  br-lan eth1    0.0.0.0/0            0.0.0.0/0


Chain accounting (3 references)
 pkts bytes target     prot opt in     out     source               destination
...
    0     0 acc_unknown  all  --  eth1   br-lan  0.0.0.0/0            0.0.0.0/0
    0     0 acc_unknown  all  --  br-lan eth1    0.0.0.0/0            0.0.0.0/0
11988  941K RETURN     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
  786 36304 RETURN     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 4 prefix `Shorewall:acct:DROP:''
    0     0 LOG        all  --  *      eth1    0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 4 prefix `Shorewall:acct:DROP:''

Am I doing something wrong?

Cheers,
b.



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It''s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

Tom Eastep

2013-Jun-02 14:39 UTC

head link

Re: "catch-all" in accounting not working

On 06/02/2013 06:50 AM, Brian J. Murrell wrote:> So, at the end of my long list of (old-style) accounting rules I have a
> "catch-all":
> 
> acc_unknown - $CGCOIF br-lan:0.0.0.0/0
> acc_unknown - br-lan:0.0.0.0/0 $CGCOIF
> DONE	-	-		br-lan:0.0.0.0/0
> DONE	-	br-lan:0.0.0.0/0
> COUNT           acc_unknown   $CGCOIF    br-lan
> COUNT           acc_unknown   br-lan    $CGCOIF
> 
> meant to account for anything that didn''t get accounted for above
it.
> The accounting rule above that are all working just fine, however this
> catch-all doesn''t seem to get anything in it as you can see:
> 
> Chain acc_unknown (2 references)
>  pkts bytes target     prot opt in     out     source              
destination
>     0     0            all  --  eth1   br-lan  0.0.0.0/0           
0.0.0.0/0
>     0     0            all  --  br-lan eth1    0.0.0.0/0           
0.0.0.0/0
> 
> 
> Chain accounting (3 references)
>  pkts bytes target     prot opt in     out     source              
destination
> ...
>     0     0 acc_unknown  all  --  eth1   br-lan  0.0.0.0/0           
0.0.0.0/0
>     0     0 acc_unknown  all  --  br-lan eth1    0.0.0.0/0           
0.0.0.0/0
> 11988  941K RETURN     all  --  *      br-lan  0.0.0.0/0           
0.0.0.0/0
>   786 36304 RETURN     all  --  br-lan *       0.0.0.0/0           
0.0.0.0/0
>     0     0 LOG        all  --  eth1   *       0.0.0.0/0           
0.0.0.0/0           LOG flags 0 level 4 prefix `Shorewall:acct:DROP:''
>     0     0 LOG        all  --  *      eth1    0.0.0.0/0           
0.0.0.0/0           LOG flags 0 level 4 prefix `Shorewall:acct:DROP:''
> 
> Am I doing something wrong?
> 
Depends on what precedes the above accounting rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It''s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

Brian J. Murrell

2013-Jun-03 02:44 UTC

head link

Re: "catch-all" in accounting not working

On 13-06-02 10:39 AM, Tom Eastep wrote:> 
> Depends on what precedes the above accounting rules.
Here''s my whole accounting file:

COUNT	-	$CGCOIF		-
COUNT	-	-		$CGCOIF

# bail out quickly for openvpn and ipv6.  openvpn and ipv6 have their
# own interfaces and are accounted for in them.
DONE	-	$CGCOIF		-		udp	1194
DONE	-	-		$CGCOIF		udp	-		1194
DONE	-	$CGCOIF		-		41
DONE	-	-		$CGCOIF		41

# account to the gw for the ipv6 (sixxs) control protocol and DHCP and
it''s own NTP
DONE	-	$CGCOIF		-		udp	67,68,123
DONE	-	-		$CGCOIF		udp	-		67,68,123
DONE	-	-		$CGCOIF:216.14.98.22 udp	3740
# and sending and receiving icmp messages
DONE	-	-		$CGCOIF		icmp
DONE	-	$CGCOIF		-		icmp
# don''t acct for stupid torrent-on-udp to PC either
DONE	-	$CGCOIF		-		udp	40000:50000
# throw away packets to the gateway that are probes
DONE	-	-		&$CGCOIF

acc_pc  -	$CGCOIF		br-lan:192.168.222.1
acc_pc  -	br-lan:192.168.222.1 $CGCOIF
acc_pc  -	$CGCOIF		br-lan:192.168.222.101
acc_pc  -	br-lan:192.168.222.101 $CGCOIF
COUNT           acc_pc   $CGCOIF    br-lan
COUNT           acc_pc   br-lan    $CGCOIF
acc_pc	-       tun0		br-lan:192.168.222.1
acc_pc	-       br-lan:192.168.222.1 tun0
acc_pc	-       tun0		br-lan:192.168.222.101
acc_pc	-       br-lan:192.168.222.101 tun0
COUNT           acc_pc   tun0    br-lan
COUNT           acc_pc   br-lan    tun0
DONE	-	-		br-lan:192.168.222.1
DONE	-	br-lan:192.168.222.1
DONE	-	-		br-lan:192.168.222.101
DONE	-	br-lan:192.168.222.101

COUNT	acc_pc	-		-		tcp	-		143,993
COUNT	acc_pc	-		-		tcp	143,993
COUNT	acc_pc	-		-		tcp	-		22
COUNT	acc_pc	-		-		tcp	22
COUNT	acc_pc	-		-		tcp	-		119
COUNT	acc_pc	-		-		tcp	119
DONE	acc_pc

acc_pvr - $CGCOIF	br-lan:192.168.222.2
acc_pvr - br-lan:192.168.222.2 $CGCOIF
DONE	-	-		br-lan:192.168.222.2
DONE	-	br-lan:192.168.222.2
COUNT           acc_pvr   $CGCOIF    br-lan
COUNT           acc_pvr   br-lan    $CGCOIF

acc_brian_lt - $CGCOIF	br-lan:192.168.222.185
acc_brian_lt - br-lan:192.168.222.185 $CGCOIF
DONE	-	-		br-lan:192.168.222.185
DONE	-	br-lan:192.168.222.185
acc_brian_lt - $CGCOIF	br-lan:10.10.0.0/16
acc_brian_lt - br-lan:10.10.0.0/16 $CGCOIF
DONE	-	-		br-lan:10.10.0.0/16
DONE	-	br-lan:10.10.0.0/16
acc_brian_lt - $CGCOIF	br-lan:10.0.0.0/24
acc_brian_lt - br-lan:10.0.0.0/24 $CGCOIF
DONE	-	-		br-lan:10.0.0.0/24
DONE	-	br-lan:10.0.0.0/24
acc_brian_lt - $CGCOIF	br-lan:192.168.222.217
acc_brian_lt - br-lan:192.168.222.217 $CGCOIF
DONE	-	-		br-lan:192.168.222.217
DONE	-	br-lan:192.168.222.217
acc_brian_lt - $CGCOIF	br-lan:192.168.222.244
acc_brian_lt - br-lan:192.168.222.244 $CGCOIF
DONE	-	-		br-lan:192.168.222.244
DONE	-	br-lan:192.168.222.244
acc_brian_lt - $CGCOIF	br-lan:192.168.222.151
acc_brian_lt - br-lan:192.168.222.151 $CGCOIF
DONE	-	-		br-lan:192.168.222.151
DONE	-	br-lan:192.168.222.151
acc_brian_lt - $CGCOIF	br-lan:192.168.222.213
acc_brian_lt - br-lan:192.168.222.213 $CGCOIF
DONE	-	-		br-lan:192.168.222.213
DONE	-	br-lan:192.168.222.213
acc_brian_lt - $CGCOIF	br-lan:192.168.222.199
acc_brian_lt - br-lan:192.168.222.199 $CGCOIF
DONE	-	-		br-lan:192.168.222.199
DONE	-	br-lan:192.168.222.199
COUNT           acc_brian_lt   $CGCOIF    br-lan
COUNT           acc_brian_lt   br-lan    $CGCOIF


#COUNT	acc_brian_lt -		-		udp	-		4500
#COUNT	acc_brian_lt -		-		udp	4500
#DONE	acc_brian_lt

acc_brian_lt_old - $CGCOIF	br-lan:192.168.222.145
acc_brian_lt_old - br-lan:192.168.222.145 $CGCOIF
DONE	-	-		br-lan:192.168.222.145
DONE	-	br-lan:192.168.222.145
COUNT           acc_brian_lt_old   $CGCOIF    br-lan
COUNT           acc_brian_lt_old   br-lan    $CGCOIF

acc_mac - $CGCOIF	br-lan:192.168.222.221
acc_mac - br-lan:192.168.222.221 $CGCOIF
DONE	-	-		br-lan:192.168.222.221
DONE	-	br-lan:192.168.222.221
acc_mac - $CGCOIF	br-lan:192.168.222.251
acc_mac - br-lan:192.168.222.251 $CGCOIF
DONE	-	-		br-lan:192.168.222.251
DONE	-	br-lan:192.168.222.251
COUNT           acc_mac   $CGCOIF    br-lan
COUNT           acc_mac   br-lan    $CGCOIF

acc_joey_lt - $CGCOIF	br-lan:192.168.222.208
acc_joey_lt - br-lan:192.168.222.208 $CGCOIF
DONE	-	-		br-lan:192.168.222.208
DONE	-	br-lan:192.168.222.208
COUNT           acc_joey_lt   $CGCOIF    br-lan
COUNT           acc_joey_lt   br-lan    $CGCOIF

acc_joey - $CGCOIF	br-lan:192.168.222.4
acc_joey - br-lan:192.168.222.4 $CGCOIF
DONE	-	-		br-lan:192.168.222.4
DONE	-	br-lan:192.168.222.4
COUNT           acc_joey   $CGCOIF    br-lan
COUNT           acc_joey   br-lan    $CGCOIF

acc_brian_archos - $CGCOIF br-lan:192.168.222.234
acc_brian_archos - br-lan:192.168.222.234 $CGCOIF
DONE	-	-		br-lan:192.168.222.234
DONE	-	br-lan:192.168.222.234
acc_brian_archos - $CGCOIF br-lan:192.168.222.253
acc_brian_archos - br-lan:192.168.222.253 $CGCOIF
DONE	-	-		br-lan:192.168.222.253
DONE	-	br-lan:192.168.222.253
acc_brian_archos - $CGCOIF br-lan:192.168.222.247
acc_brian_archos - br-lan:192.168.222.247 $CGCOIF
DONE	-	-		br-lan:192.168.222.247
DONE	-	br-lan:192.168.222.247
COUNT           acc_brian_archos   $CGCOIF    br-lan
COUNT           acc_brian_archos   br-lan    $CGCOIF

acc_brian_phone - $CGCOIF br-lan:192.168.222.176
acc_brian_phone - br-lan:192.168.222.176 $CGCOIF
DONE	-	-		br-lan:192.168.222.176
DONE	-	br-lan:192.168.222.176
COUNT           acc_brian_phone   $CGCOIF    br-lan
COUNT           acc_brian_phone   br-lan    $CGCOIF

acc_joe_phone - $CGCOIF br-lan:192.168.222.190
acc_joe_phone - br-lan:192.168.222.190 $CGCOIF
DONE	-	-		br-lan:192.168.222.190
DONE	-	br-lan:192.168.222.190
COUNT           acc_joe_phone   $CGCOIF    br-lan
COUNT           acc_joe_phone   br-lan    $CGCOIF

acc_joe_tablet - $CGCOIF br-lan:192.168.222.186
acc_joe_tablet - br-lan:192.168.222.186 $CGCOIF
DONE	-	-		br-lan:192.168.222.186
DONE	-	br-lan:192.168.222.186
COUNT           acc_joe_tablet   $CGCOIF    br-lan
COUNT           acc_joe_tablet   br-lan    $CGCOIF

acc_galaxy_tablet - $CGCOIF br-lan:192.168.222.181
acc_galaxy_tablet - br-lan:192.168.222.181 $CGCOIF
DONE	-	-		br-lan:192.168.222.181
DONE	-	br-lan:192.168.222.181
COUNT           acc_galaxy_tablet   $CGCOIF    br-lan
COUNT           acc_galaxy_tablet   br-lan    $CGCOIF

acc_lenovo_tablet - $CGCOIF br-lan:192.168.222.177
acc_lenovo_tablet - br-lan:192.168.222.177 $CGCOIF
DONE	-	-		br-lan:192.168.222.177
DONE	-	br-lan:192.168.222.177
COUNT           acc_lenovo_tablet   $CGCOIF    br-lan
COUNT           acc_lenovo_tablet   br-lan    $CGCOIF

acc_steve_phone - $CGCOIF br-lan:192.168.222.188
acc_steve_phone - br-lan:192.168.222.188 $CGCOIF
DONE	-	-		br-lan:192.168.222.188
DONE	-	br-lan:192.168.222.188
acc_steve_phone - $CGCOIF br-lan:192.168.222.219
acc_steve_phone - br-lan:192.168.222.219 $CGCOIF
DONE	-	-		br-lan:192.168.222.219
DONE	-	br-lan:192.168.222.219
COUNT           acc_steve_phone   $CGCOIF    br-lan
COUNT           acc_steve_phone   br-lan    $CGCOIF

acc_joe_archos - $CGCOIF br-lan:192.168.222.135
acc_joe_archos - br-lan:192.168.222.135 $CGCOIF
DONE	-	-		br-lan:192.168.222.135
DONE	-	br-lan:192.168.222.135
COUNT           acc_joe_archos   $CGCOIF    br-lan
COUNT           acc_joe_archos   br-lan    $CGCOIF

acc_wireless_router - $CGCOIF br-lan:192.168.222.228
acc_wireless_router - br-lan:192.168.222.228 $CGCOIF
DONE	-	-		br-lan:192.168.222.228
DONE	-	br-lan:192.168.222.228
COUNT           acc_wireless_router   $CGCOIF    br-lan
COUNT           acc_wireless_router   br-lan    $CGCOIF

acc_linux	- $CGCOIF	br-lan:192.168.222.3
acc_linux	- br-lan:192.168.222.3 $CGCOIF
acc_linux	- $CGCOIF	br-lan:192.168.222.8
acc_linux	- br-lan:192.168.222.8 $CGCOIF
acc_linux	- $CGCOIF	br-lan:192.168.222.9
acc_linux	- br-lan:192.168.222.9 $CGCOIF
COUNT acc_linux   $CGCOIF    br-lan
COUNT acc_linux   br-lan    $CGCOIF
acc_linux	- tun0		br-lan:192.168.222.3
acc_linux	- br-lan:192.168.222.3 tun0
acc_linux	- tun0		br-lan:192.168.222.8
acc_linux	- br-lan:192.168.222.8 tun0
acc_linux	- tun0		br-lan:192.168.222.9
acc_linux	- br-lan:192.168.222.9 tun0
COUNT acc_linux   tun0    br-lan
COUNT acc_linux   br-lan    tun0
#acc_linux	- sixxs		br-lan:192.168.222.3
#acc_linux	- br-lan:192.168.222.3 sixxs
DONE	-	-		br-lan:192.168.222.3
DONE	-	br-lan:192.168.222.3
DONE	-	-		br-lan:192.168.222.8
DONE	-	br-lan:192.168.222.8
DONE	-	-		br-lan:192.168.222.9
DONE	-	br-lan:192.168.222.9

COUNT	acc_linux -		-		tcp	-		53
COUNT	acc_linux -		-		tcp	53
COUNT	acc_linux -		-		tcp	-		80
COUNT	acc_linux -		-		tcp	80
COUNT	acc_linux -		-		tcp	-		25
COUNT	acc_linux -		-		tcp	25
COUNT	acc_linux -		-

acc_wii - $CGCOIF	br-lan:192.168.222.146
acc_wii - br-lan:192.168.222.146 $CGCOIF
DONE	-	-		br-lan:192.168.222.146
DONE	-	br-lan:192.168.222.146
COUNT           acc_wii   $CGCOIF    br-lan
COUNT           acc_wii   br-lan    $CGCOIF

acc_xbox - $CGCOIF	br-lan:192.168.222.191
acc_xbox - br-lan:192.168.222.191 $CGCOIF
DONE	-	-		br-lan:192.168.222.191
DONE	-	br-lan:192.168.222.191
COUNT           acc_xbox   $CGCOIF    br-lan
COUNT           acc_xbox   br-lan    $CGCOIF

acc_joanne_phone - $CGCOIF br-lan:192.168.222.170
acc_joanne_phone - br-lan:192.168.222.170 $CGCOIF
DONE	-	-		br-lan:192.168.222.170
DONE	-	br-lan:192.168.222.170
COUNT           acc_joanne_phone   $CGCOIF    br-lan
COUNT           acc_joanne_phone   br-lan    $CGCOIF

acc_unknown - $CGCOIF br-lan:0.0.0.0/0
acc_unknown - br-lan:0.0.0.0/0 $CGCOIF
DONE	-	-		br-lan:0.0.0.0/0
DONE	-	br-lan:0.0.0.0/0
COUNT           acc_unknown   $CGCOIF    br-lan
COUNT           acc_unknown   br-lan    $CGCOIF



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It''s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

Tom Eastep

2013-Jun-03 03:15 UTC

head link

Re: "catch-all" in accounting not working

On Jun 2, 2013, at 7:44 PM, Brian J. Murrell <brian@interlinx.bc.ca>
wrote:
> On 13-06-02 10:39 AM, Tom Eastep wrote:
>> 
>> Depends on what precedes the above accounting rules.
> 
> Here''s my whole accounting file:
I personally would much prefer to see the output of ''shorewall
show'' (''shorewall show -t mangle'' if
ACCOUNTING_TABLE=mangle).

Thanks,
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It''s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

Tom Eastep

2013-Jun-03 03:20 UTC

head link

Re: "catch-all" in accounting not working

On Jun 2, 2013, at 7:44 PM, Brian J. Murrell <brian@interlinx.bc.ca>
wrote:
> On 13-06-02 10:39 AM, Tom Eastep wrote:
>> 
>> Depends on what precedes the above accounting rules.
> 
> Here''s my whole accounting file:
> 
> 
Personally, I would prefer to see the output of ''shorewall
show'' (''shorewall show -t mangle'') if
ACCOUNTING_TABLE=mangle.

Thanks,
-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It''s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

Brian J. Murrell

2013-Jun-03 03:28 UTC

head link

Re: "catch-all" in accounting not working

On 13-06-02 11:15 PM, Tom Eastep wrote:> 
> I personally would much prefer to see the output of ''shorewall
show'' (''shorewall show -t mangle'' if
ACCOUNTING_TABLE=mangle).
Damn.  I was on the fence about whether to show you config or result.
I guess I guessed wrong.  :-(

Chain accounting (3 references)
 pkts bytes target     prot opt in     out     source               destination
4825K 4391M            all  --  eth1   *       0.0.0.0/0            0.0.0.0/0
4355K  934M            all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
 675K  836M RETURN     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
udp dpt:1194
 734K  106M RETURN     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0   
udp spt:1194
1918K 2644M RETURN     41   --  eth1   *       0.0.0.0/0            0.0.0.0/0
1047K  120M RETURN     41   --  *      eth1    0.0.0.0/0            0.0.0.0/0
 9764 2778K RETURN     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
multiport dports 67,68,123
 1784  136K RETURN     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0   
multiport sports 67,68,123
    0     0 RETURN     udp  --  *      eth1    0.0.0.0/0            216.14.98.22
udp dpt:3740
78281 5642K RETURN     icmp --  *      eth1    0.0.0.0/0            0.0.0.0/0
82238 5480K RETURN     icmp --  eth1   *       0.0.0.0/0            0.0.0.0/0
89946   14M RETURN     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
udp dpts:40000:50000
 8465  777K RETURN     all  --  *      *       0.0.0.0/0           
67.193.232.12
 171K   60M acc_pc     all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.1
 269K   26M acc_pc     all  --  br-lan eth1    192.168.222.1           0.0.0.0/0
    0     0 acc_pc     all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.101
    0     0 acc_pc     all  --  br-lan eth1    192.168.222.101         0.0.0.0/0
18597 4158K acc_pc     all  --  tun0   br-lan  0.0.0.0/0           
192.168.222.1
24487 3604K acc_pc     all  --  br-lan tun0    192.168.222.1           0.0.0.0/0
    0     0 acc_pc     all  --  tun0   br-lan  0.0.0.0/0           
192.168.222.101
    0     0 acc_pc     all  --  br-lan tun0    192.168.222.101         0.0.0.0/0
9947K 6586M RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.1
7019K  305M RETURN     all  --  br-lan *       192.168.222.1           0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.101
    0     0 RETURN     all  --  br-lan *       192.168.222.101         0.0.0.0/0
    0     0 acc_pvr    all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.2
    1    60 acc_pvr    all  --  br-lan eth1    192.168.222.2           0.0.0.0/0
    1    40 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.2
21082 1602K RETURN     all  --  br-lan *       192.168.222.2           0.0.0.0/0
    0     0 acc_brian_lt  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.185
    0     0 acc_brian_lt  all  --  br-lan eth1    192.168.222.185        
0.0.0.0/0
   22  4428 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.185
 5312  412K RETURN     all  --  br-lan *       192.168.222.185         0.0.0.0/0
    0     0 acc_brian_lt  all  --  eth1   br-lan  0.0.0.0/0           
10.10.0.0/16
    0     0 acc_brian_lt  all  --  br-lan eth1    10.10.0.0/16         0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0            10.10.0.0/16
    0     0 RETURN     all  --  br-lan *       10.10.0.0/16         0.0.0.0/0
    0     0 acc_brian_lt  all  --  eth1   br-lan  0.0.0.0/0           
10.0.0.0/24
    0     0 acc_brian_lt  all  --  br-lan eth1    10.0.0.0/24          0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0            10.0.0.0/24
    0     0 RETURN     all  --  br-lan *       10.0.0.0/24          0.0.0.0/0
    0     0 acc_brian_lt  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.217
    0     0 acc_brian_lt  all  --  br-lan eth1    192.168.222.217        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.217
    0     0 RETURN     all  --  br-lan *       192.168.222.217         0.0.0.0/0
    0     0 acc_brian_lt  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.244
    0     0 acc_brian_lt  all  --  br-lan eth1    192.168.222.244        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.244
    0     0 RETURN     all  --  br-lan *       192.168.222.244         0.0.0.0/0
    0     0 acc_brian_lt  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.151
    0     0 acc_brian_lt  all  --  br-lan eth1    192.168.222.151        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.151
    0     0 RETURN     all  --  br-lan *       192.168.222.151         0.0.0.0/0
    0     0 acc_brian_lt  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.213
    0     0 acc_brian_lt  all  --  br-lan eth1    192.168.222.213        
0.0.0.0/0
   14  3384 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.213
 3156  245K RETURN     all  --  br-lan *       192.168.222.213         0.0.0.0/0
 865K  372M acc_brian_lt  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.199
1271K  558M acc_brian_lt  all  --  br-lan eth1    192.168.222.199        
0.0.0.0/0
 866K  372M RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.199
1271K  558M RETURN     all  --  br-lan *       192.168.222.199         0.0.0.0/0
    0     0 acc_brian_lt_old  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.145
    0     0 acc_brian_lt_old  all  --  br-lan eth1    192.168.222.145        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.145
    0     0 RETURN     all  --  br-lan *       192.168.222.145         0.0.0.0/0
    0     0 acc_mac    all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.221
    0     0 acc_mac    all  --  br-lan eth1    192.168.222.221         0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.221
  387 33642 RETURN     all  --  br-lan *       192.168.222.221         0.0.0.0/0
    0     0 acc_mac    all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.251
    0     0 acc_mac    all  --  br-lan eth1    192.168.222.251         0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.251
    0     0 RETURN     all  --  br-lan *       192.168.222.251         0.0.0.0/0
    0     0 acc_joey_lt  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.208
    0     0 acc_joey_lt  all  --  br-lan eth1    192.168.222.208        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.208
    0     0 RETURN     all  --  br-lan *       192.168.222.208         0.0.0.0/0
    0     0 acc_joey  all  --  eth1   br-lan  0.0.0.0/0            192.168.222.4
    3   180 acc_joey  all  --  br-lan eth1    192.168.222.4           0.0.0.0/0
   10  2188 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.4
19310 1432K RETURN     all  --  br-lan *       192.168.222.4           0.0.0.0/0
    0     0 acc_brian_archos  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.234
    0     0 acc_brian_archos  all  --  br-lan eth1    192.168.222.234        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.234
    0     0 RETURN     all  --  br-lan *       192.168.222.234         0.0.0.0/0
    0     0 acc_brian_archos  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.253
    0     0 acc_brian_archos  all  --  br-lan eth1    192.168.222.253        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.253
    0     0 RETURN     all  --  br-lan *       192.168.222.253         0.0.0.0/0
    0     0 acc_brian_archos  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.247
    0     0 acc_brian_archos  all  --  br-lan eth1    192.168.222.247        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.247
    0     0 RETURN     all  --  br-lan *       192.168.222.247         0.0.0.0/0
 4500 2211K acc_brian_phone  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.176
 6060  868K acc_brian_phone  all  --  br-lan eth1    192.168.222.176        
0.0.0.0/0
 4500 2211K RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.176
 6060  868K RETURN     all  --  br-lan *       192.168.222.176         0.0.0.0/0
30372 8480K acc_joe_phone  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.190
35259 7133K acc_joe_phone  all  --  br-lan eth1    192.168.222.190        
0.0.0.0/0
30372 8480K RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.190
35259 7133K RETURN     all  --  br-lan *       192.168.222.190         0.0.0.0/0
53470   57M acc_joe_tablet  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.186
52412 7368K acc_joe_tablet  all  --  br-lan eth1    192.168.222.186        
0.0.0.0/0
53470   57M RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.186
52412 7368K RETURN     all  --  br-lan *       192.168.222.186         0.0.0.0/0
    0     0 acc_galaxy_tablet  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.181
    0     0 acc_galaxy_tablet  all  --  br-lan eth1    192.168.222.181        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.181
    0     0 RETURN     all  --  br-lan *       192.168.222.181         0.0.0.0/0
  738  325K acc_lenovo_tablet  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.177
 1211  153K acc_lenovo_tablet  all  --  br-lan eth1    192.168.222.177        
0.0.0.0/0
  738  325K RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.177
 1211  153K RETURN     all  --  br-lan *       192.168.222.177         0.0.0.0/0
    0     0 acc_steve_phone  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.188
    0     0 acc_steve_phone  all  --  br-lan eth1    192.168.222.188        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.188
    0     0 RETURN     all  --  br-lan *       192.168.222.188         0.0.0.0/0
    0     0 acc_steve_phone  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.219
    0     0 acc_steve_phone  all  --  br-lan eth1    192.168.222.219        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.219
    0     0 RETURN     all  --  br-lan *       192.168.222.219         0.0.0.0/0
    0     0 acc_joe_archos  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.135
    0     0 acc_joe_archos  all  --  br-lan eth1    192.168.222.135        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.135
    0     0 RETURN     all  --  br-lan *       192.168.222.135         0.0.0.0/0
  141  7743 acc_wireless_router  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.228
   53  2120 acc_wireless_router  all  --  br-lan eth1    192.168.222.228        
0.0.0.0/0
  141  7743 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.228
   53  2120 RETURN     all  --  br-lan *       192.168.222.228         0.0.0.0/0
 334K  311M acc_linux  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.3
 277K   30M acc_linux  all  --  br-lan eth1    192.168.222.3           0.0.0.0/0
83260   19M acc_linux  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.8
83463   19M acc_linux  all  --  br-lan eth1    192.168.222.8           0.0.0.0/0
    0     0 acc_linux  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.9
    6   255 acc_linux  all  --  br-lan eth1    192.168.222.9           0.0.0.0/0
 619K  785M acc_linux  all  --  tun0   br-lan  0.0.0.0/0           
192.168.222.3
 690K   50M acc_linux  all  --  br-lan tun0    192.168.222.3           0.0.0.0/0
15778 3047K acc_linux  all  --  tun0   br-lan  0.0.0.0/0           
192.168.222.8
 6067 3604K acc_linux  all  --  br-lan tun0    192.168.222.8           0.0.0.0/0
    0     0 acc_linux  all  --  tun0   br-lan  0.0.0.0/0           
192.168.222.9
    0     0 acc_linux  all  --  br-lan tun0    192.168.222.9           0.0.0.0/0
 984K 1101M RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.3
 997K   86M RETURN     all  --  br-lan *       192.168.222.3           0.0.0.0/0
99281   22M RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.8
89993   23M RETURN     all  --  br-lan *       192.168.222.8           0.0.0.0/0
12230 2769K RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.9
12887 1316K RETURN     all  --  br-lan *       192.168.222.9           0.0.0.0/0
    0     0 acc_wii    all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.146
    0     0 acc_wii    all  --  br-lan eth1    192.168.222.146         0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.146
    0     0 RETURN     all  --  br-lan *       192.168.222.146         0.0.0.0/0
 502K   60M acc_xbox   all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.191
 499K   54M acc_xbox   all  --  br-lan eth1    192.168.222.191         0.0.0.0/0
 502K   60M RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.191
 499K   54M RETURN     all  --  br-lan *       192.168.222.191         0.0.0.0/0
    0     0 acc_joanne_phone  all  --  eth1   br-lan  0.0.0.0/0           
192.168.222.170
    0     0 acc_joanne_phone  all  --  br-lan eth1    192.168.222.170        
0.0.0.0/0
    0     0 RETURN     all  --  *      br-lan  0.0.0.0/0           
192.168.222.170
    0     0 RETURN     all  --  br-lan *       192.168.222.170         0.0.0.0/0
    0     0 acc_unknown  all  --  eth1   br-lan  0.0.0.0/0            0.0.0.0/0
    0     0 acc_unknown  all  --  br-lan eth1    0.0.0.0/0            0.0.0.0/0
19320 1522K RETURN     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
 1228 57931 RETURN     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  eth1   *       0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 4 prefix `Shorewall:acct:DROP:''
    0     0 LOG        all  --  *      eth1    0.0.0.0/0            0.0.0.0/0   
LOG flags 0 level 4 prefix `Shorewall:acct:DROP:''

Cheers,
b.




------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It''s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

Tom Eastep

2013-Jun-03 22:25 UTC

head link

Re: "catch-all" in accounting not working

On 06/02/2013 08:28 PM, Brian J. Murrell wrote:> On 13-06-02 11:15 PM, Tom Eastep wrote:
>>
>> I personally would much prefer to see the output of ''shorewall
show'' (''shorewall show -t mangle'' if
ACCOUNTING_TABLE=mangle).
> 
> Damn.  I was on the fence about whether to show you config or result.
> I guess I guessed wrong.  :-(
Brian,

Can you give us an idea of what traffic you think should fall into the
catchall but isn''t? With all of the host IP addresses present in the
rules, it is impossible for us to tell what additional hosts are present
in your network that might be communicating with the outside world.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

Brian J. Murrell

2013-Jun-05 15:12 UTC

head link

Re: "catch-all" in accounting not working

On 13-06-03 06:25 PM, Tom Eastep wrote:> 
> Brian,
Hi Tom,
> Can you give us an idea of what traffic you think should fall into the
> catchall but isn''t?
Now that I think about it this way, perhaps there is none.  That made me
think about my accounting problem differently and I think I have found
the missing data, and it''s got nothing to do with this
"unknown" catch-all.

Thanks for asking that in a such a way as to make me look at my problem
from a different perspective.

Cheers,
b.




------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

Meetoo Ashvin

2013-Jun-07 08:12 UTC

head link

Firewall drops after ADSL reconnection

Hello,

I am facing a strange problem these days. I live in a country where 
internet is still very slow. We use shorewall (le magnifique) to load 
balance traffic between 3 ADSL modems bridged to our gateway. The 
problem is that every now and then, randomly, one of the ADSL drops and 
then reconnects with a new IP.

I''ve put a script in "/etc/ppp/ip-up.d/" doing a
"/sbin/shorewall status
 > /dev/null && /sbin/shorewall restart -f" for the firewall to
get the
new ips properly.

I know it''s not the best practice but out of 100 times, 99 times it 
works without a glitch.

For the one time, I loose my firewall completely, I get the 6 lines 
basic firewall, I loose all access to the serveur and I need to log in 
physically and do a shorewall restart. It happens once every 3-4 days 
and hopefully I was on workplace when that happened.

My question is: is there a way for shorewall to cater for this? I think 
the problem may be that sometimes one of the ADSL takes more time than 
needed to get a new IP, and shorewall doesn''t really know what to do.

Thanks for your precious help.
Ashvin

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

Tom Eastep

2013-Jun-07 14:12 UTC

head link

Re: Firewall drops after ADSL reconnection

On 06/07/2013 01:12 AM, Meetoo Ashvin wrote:> Hello,
> 
> I am facing a strange problem these days. I live in a country where 
> internet is still very slow. We use shorewall (le magnifique) to load 
> balance traffic between 3 ADSL modems bridged to our gateway. The 
> problem is that every now and then, randomly, one of the ADSL drops and 
> then reconnects with a new IP.
> 
> I''ve put a script in "/etc/ppp/ip-up.d/" doing a
"/sbin/shorewall status
>  > /dev/null && /sbin/shorewall restart -f" for the
firewall to get the
> new ips properly.
> 
> I know it''s not the best practice but out of 100 times, 99 times
it
> works without a glitch.
> 
> For the one time, I loose my firewall completely, I get the 6 lines 
> basic firewall, I loose all access to the serveur and I need to log in 
> physically and do a shorewall restart. It happens once every 3-4 days 
> and hopefully I was on workplace when that happened.
> 
> My question is: is there a way for shorewall to cater for this? I think 
> the problem may be that sometimes one of the ADSL takes more time than 
> needed to get a new IP, and shorewall doesn''t really know what to
do.
Have you looked at the output generated when Shorewall fails to restart?
That should tell you exactly what is going wrong.

If, as you suspect, the device is slow to come up, then you can add the
"wait=<seconds>" option in /etc/shorewall/interfaces. I also
suggest
that you add ''optional'' so that if the device fails to come up
properly,
the firewall will still start without it.

HTH,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

Meetoo Ashvin

2013-Jun-10 12:44 UTC

head link

Re: Firewall drops after ADSL reconnection

Hello Tom,

Thanks for your response. Happened again today, I''m getting these
errors:

In shorewall-init.log
Jun 10 11:54:09   ERROR: Interface ppp0 is not usable -- Provider ADSL0 
(1) Cannot be Added

In syslog:
Jun 10 11:54:23 srv pppd[4708]: Couldn''t allocate PPP unit 2 as it is 
already in use
Jun 10 11:54:23 srv pppd[4708]: Using interface ppp0

I will try your solution, may it''ll help to add a few seconds of sleep 
to the ppp script.

Cordialement,

Ashvin
Linkeo.com
Email : ashvin.meetoo@linkeo.com

On 07/06/2013 18:12, Tom Eastep wrote:> On 06/07/2013 01:12 AM, Meetoo Ashvin wrote:
>> Hello,
>>
>> I am facing a strange problem these days. I live in a country where
>> internet is still very slow. We use shorewall (le magnifique) to load
>> balance traffic between 3 ADSL modems bridged to our gateway. The
>> problem is that every now and then, randomly, one of the ADSL drops and
>> then reconnects with a new IP.
>>
>> I''ve put a script in "/etc/ppp/ip-up.d/" doing a
"/sbin/shorewall status
>>   > /dev/null && /sbin/shorewall restart -f" for the
firewall to get the
>> new ips properly.
>>
>> I know it''s not the best practice but out of 100 times, 99
times it
>> works without a glitch.
>>
>> For the one time, I loose my firewall completely, I get the 6 lines
>> basic firewall, I loose all access to the serveur and I need to log in
>> physically and do a shorewall restart. It happens once every 3-4 days
>> and hopefully I was on workplace when that happened.
>>
>> My question is: is there a way for shorewall to cater for this? I think
>> the problem may be that sometimes one of the ADSL takes more time than
>> needed to get a new IP, and shorewall doesn''t really know what
to do.
> Have you looked at the output generated when Shorewall fails to restart?
> That should tell you exactly what is going wrong.
>
> If, as you suspect, the device is slow to come up, then you can add the
> "wait=<seconds>" option in /etc/shorewall/interfaces. I
also suggest
> that you add ''optional'' so that if the device fails to
come up properly,
> the firewall will still start without it.
>
> HTH,
>
> -Tom
>
>
>
------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

Meetoo Ashvin

2013-Sep-18 06:16 UTC

head link

Re: Firewall drops after ADSL reconnection

Hello,

For you kind information, the problem was actually solved by adding the 
ADSLs'' interfaces as optional. No prb whatsoever since the change.

Thanks a lot Tom! :)

Cordialement,

Ashvin
Linkeo.com
Email : ashvin.meetoo@linkeo.com

On 10/06/2013 16:44, Meetoo Ashvin wrote:> Hello Tom,
>
> Thanks for your response. Happened again today, I''m getting these
errors:
>
> In shorewall-init.log
> Jun 10 11:54:09   ERROR: Interface ppp0 is not usable -- Provider 
> ADSL0 (1) Cannot be Added
>
> In syslog:
> Jun 10 11:54:23 srv pppd[4708]: Couldn''t allocate PPP unit 2 as it
is
> already in use
> Jun 10 11:54:23 srv pppd[4708]: Using interface ppp0
>
> I will try your solution, may it''ll help to add a few seconds of
sleep
> to the ppp script.
> Cordialement,
>
> Ashvin
> Linkeo.com
> Email :ashvin.meetoo@linkeo.com
> On 07/06/2013 18:12, Tom Eastep wrote:
>> On 06/07/2013 01:12 AM, Meetoo Ashvin wrote:
>>> Hello,
>>>
>>> I am facing a strange problem these days. I live in a country where
>>> internet is still very slow. We use shorewall (le magnifique) to
load
>>> balance traffic between 3 ADSL modems bridged to our gateway. The
>>> problem is that every now and then, randomly, one of the ADSL drops
and
>>> then reconnects with a new IP.
>>>
>>> I''ve put a script in "/etc/ppp/ip-up.d/" doing a
"/sbin/shorewall status
>>>   > /dev/null && /sbin/shorewall restart -f" for
the firewall to get the
>>> new ips properly.
>>>
>>> I know it''s not the best practice but out of 100 times, 99
times it
>>> works without a glitch.
>>>
>>> For the one time, I loose my firewall completely, I get the 6 lines
>>> basic firewall, I loose all access to the serveur and I need to log
in
>>> physically and do a shorewall restart. It happens once every 3-4
days
>>> and hopefully I was on workplace when that happened.
>>>
>>> My question is: is there a way for shorewall to cater for this? I
think
>>> the problem may be that sometimes one of the ADSL takes more time
than
>>> needed to get a new IP, and shorewall doesn''t really know
what to do.
>> Have you looked at the output generated when Shorewall fails to
restart?
>> That should tell you exactly what is going wrong.
>>
>> If, as you suspect, the device is slow to come up, then you can add the
>> "wait=<seconds>" option in /etc/shorewall/interfaces. I
also suggest
>> that you add ''optional'' so that if the device fails
to come up properly,
>> the firewall will still start without it.
>>
>> HTH,
>>
>> -Tom
>>
>>
>>
------------------------------------------------------------------------------
>> How ServiceNow helps IT people transform IT departments:
>> 1. A cloud service to automate IT design, transition and operations
>> 2. Dashboards that offer high-level views of enterprise services
>> 3. A single system of record for all IT processes
>> http://p.sf.net/sfu/servicenow-d2d-j
>>
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

Shorewall users - Jun 2013 - "catch-all" in accounting not working

"catch-all" in accounting not working

Re: "catch-all" in accounting not working

Re: "catch-all" in accounting not working

Re: "catch-all" in accounting not working

Re: "catch-all" in accounting not working

Re: "catch-all" in accounting not working

Re: "catch-all" in accounting not working

Re: "catch-all" in accounting not working

Firewall drops after ADSL reconnection

Re: Firewall drops after ADSL reconnection

Re: Firewall drops after ADSL reconnection

Re: Firewall drops after ADSL reconnection