Shorewall users - Jul 2013 - Diagnosing Shorewall unused rules and cleanup them

Dear Sirs

I looked thru archives and I didn''t find the subject discussed before.

I have some Shorewall installations running for years.
I usually revise them frequently, but I have two of them with hundreds
rules to check.
It''s a huge time consuming.

Considering "shorewall show" give me the iptables''s counters,
I can, after
one or two weeks (for example) running my rules (without resetting those
counters), see which rule has traffic passing or not.

Looking thru counter and "converting" iptables back to shorewall its
quite
easy when your have couple dozens rules.

For those two where I have hundreds rules I ran a python script which
generated "COMMENT"s for each rules in /etc/shorewall/rules.

INPUT:
ACCEPT fw  net udp ntp

OUTPUT:
?COMMENT @@@ ACCEPT fw net udp ntp @@@
ACCEPT fw  net udp ntp
?COMMENT

But it''s not operational because I need to replace /etc/shorewall/rules
with the commented one and it''s difficult to manage in a day by day
basis.
And for long rules, it exceeds the maximum length of comments.
And it''s only for rules. Other iptables (masquerades, dnat, snat, etc)
created inside Shorewall does not receive those comments.

There points:

1 - Does Shorewall has something builtin to help on this ?
2 - Does anyone has a better recipe to deal with the cleanup of UNUSED
RULES ?
3 - Carter, is there a possibility to implement an option inside shorewall
to restart the rules with this "debug/comment" applied, so my rules
files
stay in the same format as today? If ?comment was used in this case,
?comment could just point to the line number inside "rules",
"policy", etc.

Thanks everyone
-Guilsson


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

On 07/22/2013 05:59 AM, Guilsson G wrote:
> Dear Sirs
> 
> I looked thru archives and I didn''t find the subject discussed
before.
> 
> I have some Shorewall installations running for years.
> I usually revise them frequently, but I have two of them with hundreds
> rules to check.
> It''s a huge time consuming.
> 
> Considering "shorewall show" give me the iptables''s
counters, I can,
> after one or two weeks (for example) running my rules (without resetting
> those counters), see which rule has traffic passing or not. 
> 
> Looking thru counter and "converting" iptables back to shorewall
its
> quite easy when your have couple dozens rules.
> 
> For those two where I have hundreds rules I ran a python script which
> generated "COMMENT"s for each rules in /etc/shorewall/rules.
> 
> INPUT: 
> ACCEPT fw  net udp ntp
> 
> OUTPUT:
> ?COMMENT @@@ ACCEPT fw net udp ntp @@@
> ACCEPT fw  net udp ntp
> ?COMMENT
> 
> But it''s not operational because I need to replace
/etc/shorewall/rules
> with the commented one and it''s difficult to manage in a day by
day
> basis. And for long rules, it exceeds the maximum length of comments.
> And it''s only for rules. Other iptables (masquerades, dnat, snat,
etc)
> created inside Shorewall does not receive those comments.  
> 
> There points:
> 
> 1 - Does Shorewall has something builtin to help on this ?
Not specifically. You can ''shorewall trace compile | less''
which shows
the rule(s) generated by each input line, but:

- The optimizer can change/combine/delete rules.
- Rules generated by Policies are emitted well after the policy file is
processed.
> 2 - Does anyone has a better recipe to deal with the cleanup of UNUSED
> RULES ?
Nothing comes to mind.
> 3 - Carter, is there a possibility to implement an option inside
> shorewall to restart the rules with this "debug/comment" applied,
so my
> rules files stay in the same format as today? If ?comment was used in
> this case, ?comment could just point to the line number inside
"rules",
> "policy", etc.
Carter?

I can take a look at implementing something in 4.5.20.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

On 07/22/2013 07:49 AM, Tom Eastep wrote:
>> 3 - Carter, is there a possibility to implement an option inside
>> shorewall to restart the rules with this "debug/comment"
applied, so my
>> rules files stay in the same format as today? If ?comment was used in
>> this case, ?comment could just point to the line number inside
"rules",
>> "policy", etc.
> Carter?
>
> I can take a look at implementing something in 4.5.20.
This will be in 4.5.20 Beta 1. Sample output attached.

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

"Carter becomes Tom" or "Tom becomes Carter"
LOL. My mistake, really really sorry TOM.
> I can take a look at implementing something in 4.5.20.
WOW. Great news.

Thanks.

On Mon, Jul 22, 2013 at 11:49 AM, Tom Eastep <teastep@shorewall.net>
wrote:
> On 07/22/2013 05:59 AM, Guilsson G wrote:
> > Dear Sirs
> >
> > I looked thru archives and I didn''t find the subject
discussed before.
> >
> > I have some Shorewall installations running for years.
> > I usually revise them frequently, but I have two of them with hundreds
> > rules to check.
> > It''s a huge time consuming.
> >
> > Considering "shorewall show" give me the iptables''s
counters, I can,
> > after one or two weeks (for example) running my rules (without
resetting
> > those counters), see which rule has traffic passing or not.
> >
> > Looking thru counter and "converting" iptables back to
shorewall its
> > quite easy when your have couple dozens rules.
> >
> > For those two where I have hundreds rules I ran a python script which
> > generated "COMMENT"s for each rules in /etc/shorewall/rules.
> >
> > INPUT:
> > ACCEPT fw  net udp ntp
> >
> > OUTPUT:
> > ?COMMENT @@@ ACCEPT fw net udp ntp @@@
> > ACCEPT fw  net udp ntp
> > ?COMMENT
> >
> > But it''s not operational because I need to replace
/etc/shorewall/rules
> > with the commented one and it''s difficult to manage in a day
by day
> > basis. And for long rules, it exceeds the maximum length of comments.
> > And it''s only for rules. Other iptables (masquerades, dnat,
snat, etc)
> > created inside Shorewall does not receive those comments.
> >
> > There points:
> >
> > 1 - Does Shorewall has something builtin to help on this ?
>
> Not specifically. You can ''shorewall trace compile |
less'' which shows
> the rule(s) generated by each input line, but:
>
> - The optimizer can change/combine/delete rules.
> - Rules generated by Policies are emitted well after the policy file is
> processed.
>
> > 2 - Does anyone has a better recipe to deal with the cleanup of UNUSED
> > RULES ?
>
> Nothing comes to mind.
>
> > 3 - Carter, is there a possibility to implement an option inside
> > shorewall to restart the rules with this "debug/comment"
applied, so my
> > rules files stay in the same format as today? If ?comment was used in
> > this case, ?comment could just point to the line number inside
"rules",
> > "policy", etc.
>
> Carter?
>
> I can take a look at implementing something in 4.5.20.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
>
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

Awesome !

I''m ready to test ...

-Guilsson

On Tue, Jul 23, 2013 at 12:07 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> On 07/22/2013 07:49 AM, Tom Eastep wrote:
> >> 3 - Carter, is there a possibility to implement an option inside
> >> shorewall to restart the rules with this "debug/comment"
applied, so my
> >> rules files stay in the same format as today? If ?comment was used
in
> >> this case, ?comment could just point to the line number inside
"rules",
> >> "policy", etc.
> > Carter?
> >
> > I can take a look at implementing something in 4.5.20.
>
> This will be in 4.5.20 Beta 1. Sample output attached.
>
> -Tom
>
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
>
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
>
>

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

On 07/24/2013 01:07 AM, Tom Eastep wrote:
> On 07/22/2013 07:49 AM, Tom Eastep wrote:
>>> 3 - Carter, is there a possibility to implement an option inside
>>> shorewall to restart the rules with this "debug/comment"
applied, so my
>>> rules files stay in the same format as today? If ?comment was used
in
>>> this case, ?comment could just point to the line number inside
"rules",
>>> "policy", etc.
>> Carter?
>>
>> I can take a look at implementing something in 4.5.20.
>
> This will be in 4.5.20 Beta 1. Sample output attached.
I trust it will be an optional feature? :-)



------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

On Jul 23, 2013, at 2:55 PM, Paul Gear <paul@gear.dyndns.org> wrote:
> On 07/24/2013 01:07 AM, Tom Eastep wrote:
>> On 07/22/2013 07:49 AM, Tom Eastep wrote:
>>>> 3 - Carter, is there a possibility to implement an option
inside
>>>> shorewall to restart the rules with this
"debug/comment" applied, so my
>>>> rules files stay in the same format as today? If ?comment was
used in
>>>> this case, ?comment could just point to the line number inside
"rules",
>>>> "policy", etc.
>>> Carter?
>>> 
>>> I can take a look at implementing something in 4.5.20.
>> 
>> This will be in 4.5.20 Beta 1. Sample output attached.
> 
> I trust it will be an optional feature? :-)
Of course,

-Tom

Tom Eastep        \ Nothing is foolproof to a
Shoreline,         \ sufficiently talented fool
Washington, USA     \ 
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk