Hi, to debug something, I want to log everything from/to a specific IPv4, shorewall (iptables) sees.>From what I read I think ''shorewall iptrace -d 1.2.3.4'' and ''shorewalliptrace -s 1.2.3.4'' should do the job. I verified the raw tables: # iptables -L -v -t raw -n Chain PREROUTING (policy ACCEPT 286 packets, 21942 bytes) pkts bytes target prot opt in out source destination 5 374 TRACE all -- * * 1.2.3.4 0.0.0.0/0 0 0 TRACE all -- * * 0.0.0.0/0 1.2.3.4 Chain OUTPUT (policy ACCEPT 265 packets, 61940 bytes) pkts bytes target prot opt in out source destination 0 0 TRACE all -- * * 1.2.3.4 0.0.0.0/0 8 14764 TRACE all -- * * 0.0.0.0/0 1.2.3.4 But /var/log/syslog, /var/log/messages and /var/log/kern.log is empty. Other messages from shorewall (for example I log connections from blacklist sources) I see in /var/log/kern.log, so I think logging at all should be working. Am I doing something wrong? I am using shorewall 4.5.17.1. -- Regards, Igor ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
Hi, does really nobody knows how to use the iptrace feature or if it is broken? -- Regards, Igor ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 06/19/2013 07:57 AM, Igor Sverkos wrote:> Hi, > > does really nobody knows how to use the iptrace feature or if it is broken? > >Are you running ulogd? If so, the trace records may be in its syslogemu log. root@gateway:/etc/default# shorewall iptrace -d 1.2.3.4 root@gateway:/etc/default# ping 1.2.3.4 PING 1.2.3.4 (1.2.3.4) 56(84) bytes of data. ^C --- 1.2.3.4 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3000ms root@gateway:/etc/default# tail /var/log/ulogd/ulogd_syslogemu.log Jun 19 08:58:35 gateway TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth1 MACSRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: mangle:accountout:rule:1 IN= OUT=eth1 MAC= SRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: mangle:accountout:return:6 IN= OUT=eth1 MAC= SRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: mangle:OUTPUT:rule:2 IN= OUT=eth1 MACSRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth1 MACSRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: filter:OUTPUT:rule:3 IN= OUT=eth1 MACSRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: filter:eth1_out:rule:2 IN= OUT=eth1 MACSRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: filter:fw-net:rule:18 IN= OUT=eth1 MACSRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: mangle:POSTROUTING:policy:4 IN= OUT=eth1 MAC= SRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 Jun 19 08:58:35 gateway TRACE: rawpost:POSTROUTING:policy:1 INOUT=eth1 MAC= SRC=70.90.191.121 DST=1.2.3.4 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=9028 SEQ=4 UID=0 GID=0 MARK=0 root@gateway:/etc/default# -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
Hi, Tom Eastep wrote:> Are you running ulogd? If so, the trace records may be in its syslogemu log.Thank you for your response. No, I don''t run ulogd. I am using (r)syslog. As said before, this seems to work fine, because blacklist hits for example will appear in syslog or when I set a policy to log, I''ll see these packets in my syslog as expected. -- Regards, Igor ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
On 06/19/2013 11:43 AM, Igor Sverkos wrote:> Hi, > > Tom Eastep wrote: >> Are you running ulogd? If so, the trace records may be in its syslogemu log. > > Thank you for your response. > > No, I don''t run ulogd. > > I am using (r)syslog. As said before, this seems to work fine, because > blacklist hits for example will appear in syslog or when I set a > policy to log, I''ll see these packets in my syslog as expected.Just tried this on a Ubuntu system that doesn''t use ulogd; output was written to /var/log/kern.log. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
Hi, Tom Eastep wrote:> Just tried this on a Ubuntu system that doesn''t use ulogd; output was > written to /var/log/kern.log.I tried it again, it doesn''t work on my system: vm-x64 ~ # mv /var/log/kern.log /var/log/kern.log.bak vm-x64 ~ # /etc/init.d/rsyslog restart * Stopping ... * Stopping rsyslogd ... [ ok ] * Starting rsyslogd ... [ ok ] vm-x64 ~ # cat /var/log/kern.log cat: /var/log/kern.log: No such file or directory vm-x64 ~ # shorewall iptrace -d 8.8.8.8 vm-x64 ~ # ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=8.34 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=8.25 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=50 time=8.28 ms ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 8.255/8.292/8.340/0.082 ms vm-x64 ~ # cat /var/log/kern.log cat: /var/log/kern.log: No such file or directory Now I started a portscan from another system against the firewall. Because of the last policy (all all reject info) this should be logged: vm-x64 ~ # cat /var/log/kern.log Jun 20 02:01:17 vm-x64 kernel: [463833.499336] Shorewall:net2fw:REJECT:IN=eth1 OUTMAC=00:0a:e4:89:9a:e6:00:11:XX:XX:XX:XX:XX:XX SRC=1.2.3.4 DST=9.8.7.6 LEN=40 TOS=0x00 PREC=0x00 TTL=38 ID=61638 PROTO=ICMP TYPE=13 CODE=0 Jun 20 02:01:18 vm-x64 kernel: [463833.895735] Shorewall:net2fw:REJECT:IN=eth1 OUTMAC=00:0a:e4:89:9a:e6:00:11:XX:XX:XX:XX:XX:XX SRC=1.2.3.4 DST=9.8.7.6 LEN=28 TOS=0x00 PREC=0x00 TTL=50 ID=61615 PROTO=UDP SPT=50897 DPT=18996 LEN=8 [...] Again, as you can see, loggin itself is working fine. But just the TRACE doesn''t work. Any idea what could be the problem? Where to look? I am using iptables v1.4.19.1 and kernel 3.9.6. My shorewall.conf: http://pastebin.com/raw.php?i=fe8P9JtA Thanks. -- Regards, Igor ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
Hi, I solved the problem: I rebooted the firewall system :> Seems like something was stuck. Anyway, thank you for your time. -- Regards, Igor ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev