lire and shorewall

Juergen Fiedler juergen at fiedlerfamily.net
Mon Oct 31 15:52:36 CET 2005 

Hello,

I am running a stable Debian with a few packages from testing. I am
trying to set up a shorewall firewall and get some decent reporting
from it.

My /etc/shorewall/rules contains (among others) these lines:

>AllowWeb:info     net       fw
>
># everything that falls off the edge is logged:
>LOG:ULOG          net       all
>DROP:warn         net       all


If I first hit my server on a locked port, then on an open one, the
resulting lines in kern.log look thus:


>Oct 28 16:04:28 test kernel: Shorewall:net2fw:DROP:IN=eth0 OUT=
> MAC=00:40:05:5b:56:10:00:10:67:00:4e:8a:08:00 SRC=xxx.x.xxx.xxx
> DST=yyy.yy.yy.yyy LEN=60 TOS=0x10 PREC=0x00 TTL=59 ID=6623 DF PROTO=TCP
> SPT=32960 DPT=8012 WINDOW=5840 RES=0x00 SYN URGP=0
>Oct 28 16:04:35 test kernel: Shorewall:AllowWeb:ACCEPT:IN=eth0 OUT=
> MAC=00:40:05:5b:56:10:00:10:67:00:4e:8a:08:00 SRC=xxx.x.xxx.xxx
> DST=yyy.yy.yy.yyy LEN=60 TOS=0x10 PREC=0x00 TTL=59 ID=17997 DF PROTO=TCP
> SPT=32961 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

So it would appear like both connection attempts are logged. Now I let
it run for a while, accumulating log entries of both kinds.

After that, I try to use lire to see what's going on:
>#lr_log2report iptables /var/log/kern.log|less

The problem I'm having is that I get many headers with no usable
output; only the sections pertaining to dropped connections show
something, e.g.:

>                              Messages Reports
>                              ----------------
>
>   Top 15 Messages
>
>     No content in report.
>
> [...]
>
>                          Volume's Traffic Reports
>                          ------------------------
>
>     Applied filter in this section: permitted events
>
>   Volume by Rule
>
>     No content in report.
>
> [...]
>
>                           Denied Packets Reports
>                           ----------------------
>
>     Applied filter in this section: denied events
>
>   Packets by Rule
>
>   Rule                                                     Packets % Total
>   -------------------------------------------------------- ------- -------
>   Shorewall:dropInvalid:DROP:                                    1     0.0
>   Shorewall:net2fw:DROP:                                         5     0.1
> [...]

I guess I expected the fact that I am logging accepted packages as well
as dropped ones to add some information to the empty sections, but that
doesn't seem to be the case.

I am using shorewall 2.2.3-2 and lire 2.0.1-4. It seems likely that this
is an iptables issue in general, not related to shorewall, but I thought
I'd mention the fact that I am using it, just in case there are known issues
with the way it tags log messages.

I am using shorewall 2.2.3-2 and lire 2.0.1-4. Does anyone know what I
can do to get some more information out of my logs? Any input would be
appreciated.

Thanks,
Juergen

-- 
To UNSUBSCRIBE, email to questions-request at logreport.org with a subject of 
"unsubscribe". Trouble? Send an email with subject "help" to 
questions-request at logreport.org

More information about the Questions mailing list