lire and shorewall

Wytze van der Raay wytze at nlnet.nl
Mon Oct 31 16:08:40 CET 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Juergen,

> ...
> The problem I'm having is that I get many headers with no usable
> output; only the sections pertaining to dropped connections show
> something, e.g.:
> 
> 
>>                             Messages Reports
>>                             ----------------
>>
>>  Top 15 Messages
>>
>>    No content in report.

This section is empty because there are no "messages" in your firewall log
(iptables). The DLF converter for iptables only parses for accepted or
rejected traffic, since there isn't anything else in a typical iptables log.


>> ...
>>                         Volume's Traffic Reports
>>                         ------------------------
>>
>>    Applied filter in this section: permitted events
>>
>>  Volume by Rule
>>
>>    No content in report.

This is due to a bug in the DLF converter for iptables in the Lire 2.0.1
release. There is a fixed version in the CVS tree:

RCS file: /cvsroot/logreport/service/firewall/lib/IptablesDlfConverter.pm,v
Working file: IptablesDlfConverter.pm
head: 1.11
branch:
locks: strict
access list:
symbolic names:
        release-2_0_1: 1.9
        release-2_0: 1.9
        release-2_0rc1: 1.9
        release-1_5: 1.8
        merged-20030821: 1.3
        lire_1_3_branch: 1.3.0.2
        release-1_3: 1.3
keyword substitution: kv
total revisions: 11;    selected revisions: 11
description:
- ----------------------------
revision 1.11
date: 2005/02/14 11:07:33;  author: wraay;  state: Exp;  lines: +8 -4
Add support for proper labeling of traffic permitted by the firewall,
by adding a matching regular expression for 'permitted' similar to the
one for 'denied'.
Update the documentation (LIMITATIONS section) accordingly.
- ----------------------------

You can substitute the CVS version of this file in your running system,
and it should work then.

>>                          Denied Packets Reports
>>                          ----------------------
>>
>>    Applied filter in this section: denied events
>>
>>  Packets by Rule
>>
>>  Rule                                                     Packets % Total
>>  -------------------------------------------------------- ------- -------
>>  Shorewall:dropInvalid:DROP:                                    1     0.0
>>  Shorewall:net2fw:DROP:                                         5     0.1
>>[...]

I suppose this one conforms more or less to your expectations.

> I guess I expected the fact that I am logging accepted packages as well
> as dropped ones to add some information to the empty sections, but that
> doesn't seem to be the case.

Partly because there isn't any, partly due to a bug in Lire 2.0.1, both
as explained above.

> I am using shorewall 2.2.3-2 and lire 2.0.1-4. It seems likely that this
> is an iptables issue in general, not related to shorewall, but I thought
> I'd mention the fact that I am using it, just in case there are known issues
> with the way it tags log messages.
> 
> I am using shorewall 2.2.3-2 and lire 2.0.1-4. Does anyone know what I
> can do to get some more information out of my logs? Any input would be
> appreciated.

I hope the above is helpful,
Wytze van der Raay

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDZjN4qs+zhiEbbu8RAjPaAJ9LD2DbhwZr86X97sFpJXNsEva/SACg+DQU
sC4Oehl2NiB0xomLbqFTIJ4=
=xaOe
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to questions-request at logreport.org with a subject of 
"unsubscribe". Trouble? Send an email with subject "help" to 
questions-request at logreport.org

More information about the Questions mailing list