Sassy Natan | 13 Dec 20:30 2013
Picon

Re: NFLOG

Hi Wanye

Thanks for the replay!

Was wonder if NFLOG support accounting module. 
At least shorewall support this according to http://www.shorewall.net/shorewall-accounting.html
but I didn't manage to make it working

Thanks
Sassy 


On Sat, Nov 2, 2013 at 1:34 AM, Wayne S <linux <at> zuik.net> wrote:
At 10/31/2013 08:56 AM, you wrote:
Hi Group,

Congratulation about shorewall.org !
No question shorewall is the best tool I know for playing with iptables rules!

Second I wonder if any one can help me with the following:

1. I'm trying to configure a rule with the NFLOG option.
I manage to make it work with ULOG withouy any problem, but making it with NFLOG doesn't seems to work :-(
My question is if the netfilter userspace log daemon (ULOG) knows how to capture NFLOG msg.
At the moment I'm using ULOG version 1.X.
Is this only supported via ULOG version 2.0?

I'm using ulog version 1 cause this is the native version my CentOS machine support, and install it from source requires me to update a lot of packages with I want to avoid.

2. What is the true different between ULOG to NFLOG?

3. I'm not sure I got it right from the documentation at http://www.shorewall.net/shorewall_logging.html

Where I configure the shorewall LEVEL?
It says is has the following:

debug,info,error, etc....

but I don't see where to change it under the shore-wall configuration

4. A rule like this
ACCEPT:info(tcp_options,ip_options,macdecode,tcp_sequence)      fw      all     all

Doesn't seems to work.
I'm getting Invalid log level (info(tcp_options,ip_options,macdecode,tcp_sequence)

Why? any idea?

5. Under ULOG, u have the option to configure nlgroup. the default is 1, but say I want to have nlgroup=2 and nlgroup=3, so nlgroup=1 will save logs to file 1.log nlgroup=2 to 2.log and 3=nlgroup. How can it be done? is this mean I need run 3 different ULOG process?
I didn't manage to find how to do it in ulog.conf


Thanks
Sassy

I'm running on Arch Linux, so I may be way out of touch with older
systems and the following may not match with your system.
I'm also a somewhat new with shorewall/iptables. I found
#shorewall check -r
to be very helpful when changing the shorewall files.

I believe you need ulogd2 and kernel > 2.6.14 for NFLOG

NFLOG is part of ulogd ( http://www.netfilter.org/projects/ulogd/index.html).
ULOG is entering end-of-life. NFLOG requires support to be compiled
into the kernel.

# zcat /proc/config.gz | grep NFLOG
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_BRIDGE_EBT_NFLOG=m

Use NFLOG as your log level, and as with ULOG you can specify the
group NFLOG(1,0,1). NFLOG may default to group 0?

Make sure you have your NFLOG filter stack correct in /etc/ulogd.conf.
See /usr/share/doc/ulogd/ulogd.conf  for some example stacks.

Example rule I have:

SECTION NEW

# Drop blacklist ipset and log to ulogd.blacklist
DROP:NFLOG(4,0,1)    net:+blset     all

and /etc/ulogd.conf
~~~~~~~~~~~~
[global]
logfile="/var/log/ulogd.log"
loglevel=5
rmem=131071
bufsize=150000

plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"

# shorewall normal log packets group 1
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

# shorewall log blacklist group 4
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu3:LOGEMU

[log1]
group=1
#sync=1

[log4]
group=4

[emu1]
file=/var/log/ulogd.syslogemu

[emu3]
file=/var/log/ulogd.blacklist
~~~~~~~

and add logrotate for the new log.

Wayne S


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Davide Ferri | 13 Dec 16:53 2013
Picon

Shorewall and mode statistic

Hi all,
  I'm tring to convert some manually written iptables rules into a shorewall configuration but I'm facing some issue with mode statistic.
In our outgoing smtp we balance the source IP address of outgoing connections originating from the firewall between 4 alias configured on eth0 interface:

eth0 inet addr:xxx.xxx.xxx.18 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:1 inet addr:xxx.xxx.xxx.19 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:2 inet addr:xxx.xxx.xxx.28 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
eth0:3 inet addr:xxx.xxx.xxx.29 Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0

using iptables we just add the following rules:

iptables -A POSTROUTING -m statistic --mode random --probability 0.25 -t nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.19
iptables -A POSTROUTING -m statistic --mode random --probability 0.33 -t nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.28
iptables -A POSTROUTING -m statistic --mode random --probability 0.5 -t nat -o eth0 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.29

how can we achieve this with shorewall ?

Thanks
Davide 

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Sassy Natan | 13 Dec 16:47 2013
Picon

Accounting

Hi Group,

I was wonder if it is possible to use shorewall-accounting with ULOG2 and NFLOG.

My Goal is as follow:

Say I have in rules something like this:

accept fw all all 
accept all fw tcp 80,443
drop    all all all

with the following in accounting:
        web             -       eth0    -               tcp             80
        web             -       -       eth0            tcp             -               80
        web             -       eth0    -               tcp             443
        web             -       -       eth0            tcp             -               443


        web        -       eth0    -               tcp             -    80
        web        -       -       eth0            tcp             80
        web        -       eth0    -               tcp             -      443
        web        -       -       eth0            tcp             443  -
        COUNT           web     eth0
        COUNT           web     -       eth0
        DONE            web


While I can easy check the account status for web traffic in and out, all other traffic go under different chain.
So My question is 
1 Can I define somehow an automatic way to update the accounting file for each time I creating /deleting rule from rules

So I I have something like
   accept all fw tcp 80,443,21

I will have a two chain one for web traffic and one for ftp(21) traffic ?

2. What I have some like this
 accept fw any all

Can I have accounting provide me not only the amount of traffic outbound , but also specified per  other ports?  say for DNS, SMTP traffic etc... or I would have to create them one time in the accounting file?


3. I saw the accounting support the NFLOG. Can someone please provide an example how to used it? what is the generated output from this? Does ULOG2 support this? 
I know about https://home.regit.org/2012/07/flow-accounting-with-netfilter-and-ulogd2/ but I not sure I can used nfacct due to kernel issues, and besides does accounting with ULOG2 is supported with mysql?

Thanks
Sassy 
 
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Fábio Rabelo | 10 Dec 14:41 2013
Picon

second VPN in bridge mode

Hi to all

I have a vpn server configured in bridge more working perfectly for
over a year .

I need to add a new bridge to it now, and I really not shore what I
amd doing wrong !

My /etc/openvpn contains 2 files :

/etc/openvpn/bridge.conf

remote 0.0.0.0
dev tap0
secret /etc/openvpn/bridge.key

/etc/openvpn/cajamar.conf

port 1195
remote 0.0.0.0
dev tap1
secret /etc/openvpn/cajamar.key

and my /etc/network/interfaces contains this :

# The loopback network interface
auto lo
iface lo inet loopback

# The internet network interface
auto eth1
iface eth1 inet static
    address 186.231.3.203
    netmask 255.255.255.248
    broadcast 186.231.3.207
    gateway 186.231.3.201

# The bridged vpn interface for Cenno
auto br0
iface br0 inet static
    pre-up /usr/sbin/openvpn --mktun --dev tap0
    pre-up /usr/sbin/brctl addbr br0
    address 172.16.0.4
    network 172.16.0.0
    broadcast 172.16.255.255
    netmask 255.255.0.0
    post-up /sbin/ip link set tap0 up
    post-up /usr/sbin/brctl addif br0 tap0
    post-up /sbin/ip link set eth0 up
    post-up /usr/sbin/brctl addif br0 eth0
    post-down /usr/sbin/brctl delbr br0
    post-down /usr/sbin/openvpn --rmtun tap0
    post-down /sbin/ip link set eth0 down

# The bridged vpn interface for Cajamar
auto br1
iface br1 inet manual
    pre-up /usr/sbin/openvpn --mktun --dev tap1
    pre-up /usr/sbin/brctl addbr br1
    post-up /sbin/ip link set tap1 up
    post-up /usr/sbin/brctl addif br1 tap1
    post-up /sbin/ip link set eth3 up
    post-up /usr/sbin/brctl addif br1 eth3
    post-down /usr/sbin/brctl delbr br1
    post-down /usr/sbin/openvpn --rmtun tap1
    post-down /sbin/ip link set eth3 down

There is no error msg in the log in any os 3 servers ...

The old one, ( refered just as "brigde"  ) still working fine, the new
one ( refered as "cajamar"  are not working ....

Any help will be welcome .... thanks in advance ...

Fábio Rabelo
Attachment (vpn.rar): application/rar, 19 KiB
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Picon

Using 192.168.x.x on external NIC for testing.

Hi there.

I'm testing shorewall before production use on my home network. I've used shorewall before in production environment, but its long time ago.

Any help is appreciated. :-)

My setup:
- FW and client is running from VirtualBox.
- I'm using example files from /usr/share/doc/shorewall/examples/two-interfaces on debian 7.2.0.

Firewall
net: eth0: 192.168.1.175 (from local DHCP)
loc: eth1: 10.29.3.1

Client on the inside (loc)
IP: 10.29.3.2

What works
- FW can ping 8.8.8.8 and test client(10.29.3.2)
- Client can ping FW:eth0(192.168.1.175)
- Client can ping FW:eth1(10.29.3.1)
- SSH connection from outside to FW

What doesn't work
- Ping from client to 8.8.8.8
- w3m to google.com

Keep in mind that I'm using an RFC 1918 private IP address for "net"/eth0. Any ideas as to what I'm missing or doing wrong?

Thanks in advance.

Med venlig hilsen/Kind regards

Michael B. Arp Sørensen
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Picon

Using 192.168.x.x on external NIC for testing.

Hi there.

I'm testing shorewall before production use on my home network. I've used shorewall before in production environment, but its long time ago.

Any help is appreciatet. :-)

My setup:
- FW and client is running from VirtualBox.
- I'm using example files from /usr/share/doc/shorewall/examples/two-interfaces on debian 7.2.0.

Firewall
net: eth0: 192.168.1.175 (from local DHCP)
loc: eth1: 10.29.3.1

Client on the inside (loc)
IP: 10.29.3.2

What works
- FW can ping 8.8.8.8 and test client(10.29.3.2)
- Client can ping FW:eth0(192.168.1.175)
- Client can ping FW:eth1(10.29.3.1)
- SSH connection from outside to FW

What doesn't work
Ping from client to 8.8.8.8
w3m to google.com

Keep in mind that I'm using an RFC 1918 private IP address for "net"/eth0. Any ideas as to what I'm missing or doing wrong?

Thanks in advance.

Med venlig hilsen/Kind regards
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
KP Kirchdoerfer | 8 Dec 13:29 2013
Picon

NFLOG setting in shorewall.conf

Hi Tom;

running shorewall 4.5.20 I get an error

/sbin/shorewall: /etc/shorewall/shorewall.conf: line 44: syntax error: 
unexpected "("

when I add 
MACLIST_LOG_LEVEL=NFLOG(1,0,1)

to /etc/shorewall/shorewall.conf (as documented in Shorewall Logging)

Though it works in /etc/shorewall/policy

Has this been fixed in later versions?
Do you need more information about my setup?

thx kp

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Roland RoLaNd | 5 Dec 13:06 2013
Picon

Warning empty zone - virtual interface

Dear all,

i'm running shorewall with 3 interfaces:

eth0: DMZ
eth1: ISP
eth3: LAN

I need to add a wifi zone that will work on a virtual interface eth0:1 


i've done the following:

/etc/shorewall/host 
dmz        eth0:192.168.30.0/24
wifi         eth0:192.168.40.0/24

/etc/shorewall/interfaces
###############################################################################
FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net     eth1            tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     eth3            tcpflags,dhcp,nosmurfs,routefilter,logmartians
-     eth0 -


/etc/shorewall/masq
##############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth1 192.168.10.0/24,\
192.168.30.0/24,\
192.168.40.0/24


/etc/shorewall/zones
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
wifi ipv4

But when i  do "shorewall restart" i recieve warnings that both wifi and dmz zones are EMTPY as such:

Determining Hosts in Zones...
   WARNING: *** dmz is an EMPTY ZONE ***
   WARNING: *** wifi is an EMPTY ZONE ***


Any  explanation on why is that happening?



------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Orlandinei Vujanski | 4 Dec 18:13 2013
Picon

QoS

Tom, good afternoon!
I am configuring QoS, but this error in generating tcdevices and tcclasses files as below:


Dec 4 15:03:58 Compiling / etc / shorewall / tcclasses ...
Dec 4 15:03:58 ERROR: Unknown INTERFACE (eth0) / etc / shorewall / tcclasses (line 2)


Dec 4 15:10:04 Compiling / etc / shorewall / tcdevices ...
Dec 4 15:10:04 Tcdevice "eth0 10mbit 10mbit" Compiled.
Dec 4 15:10:04 Compiling / etc / shorewall / tcclasses ...
Dec 4 15:10:04 Tcclass "eth0 1 50 * full/100 full 1" Compiled.
Dec 4 15:10:04 ERROR: No default device class defined for eth0


How can I fix?

thank you
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Orlandinei Vujanski | 4 Dec 16:59 2013
Picon

QoS - Shorewall

good afternoon!
I can do that via shorewall any request from the 192.168.0.0/24 network to network 10.3.0.0/24 occupy a maximum of 2mbps link?

thank you
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
jen142 | 3 Dec 23:44 2013

Extension Script or systemd for Shorewall dependencies?

Hi,

I installed Shorewall, and launch it with systemd.

If I want to launch some other app, say OpenVPN, only after the
Shorewall is UP, should I use systemd's ExecStartPost=, or the
/etc/shoreline/configfiles/{start,started} Extensions Scripts.

It seems both would work.

Is there any advantage of one way over the other?

Jen

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk

Gmane