Wookey wrote:
> On Sun 30 May, Ralph Clark wrote:
>
> > The debug 31 option will generate messages like this in the system messages log
> > file, as directed by /etc/syslog.conf:
> >
> > filter accepted rule 9 proto 6 len 295 seq f4e10d7d ack bbd0a25b flags PUSH ACK
> > packet 195.11.50.200,8080 => 193.237.131.114,2742
> > filter ignored rule 5 proto 6 len 40 seq f4e10e7c ack bbd0a25b flags FIN ACK
> > packet 195.11.50.200,8080 => 193.237.131.114,2742
>
> > The rule numbers quoted are allocated sequentially to your filter rules in the
> > order they appear in your diald configuration files, i.e. the first filter rule
> > to appear is rule no. 1. The 'proto' protocol number is the protocol number of
> > the service as allocated in /etc/protocols.
>
> aha! I've been wondering what 'proto' was for a while. Does it say this
> anywhere in the diald docs? I haven't been able to find a spec for these
> debug messages anywhere (I have diald 0.16, but I've also just downladed
> diald 0.99 and looked through the docs in that, and on the web.)
>
> The 'rule number' is not very convenient if you are trying to use this
> info to find a rule problem, as there is no easy way to find out which
> rule is which without parsing the filter files to get rid of all the
> comments and blank lines (or is there?).
Please see the attached perl script, written by a chap called "Philip Campbell"
<[EMAIL PROTECTED]> and submitted to this list a good long while ago.
> I've written a noddy bit of AWK to do this and generate a numbered rule list,
> but it is primitive if you have 'includes' as it only processes the one
> file so you have to manually set the starting count. Is there a smarter
> solution to this? Seems to me that diald really ought to be able to write
> out its rule list (perhaps via syslog?) if you ask it nicely.
>
> -----rulefilter.awk------
> # You can set count to some other value if this is an included rule file
> BEGIN { count = -1 }
> { snipped = 0 }
>
> /^#/ { snipped = 1 }
> /^$/ { snipped = 1 }
>
> {if (!snipped) { count += 1; print count,"\t", $0} }
>
> use the above with something like:
> cat standard.filter | awk -f rulefilter.awk > rules.txt
>
> The above is embarassingly basic, but I've found it very handy when
> trying to work out what is going on.
The following has also been contributed to this list by [EMAIL PROTECTED]
egrep -v "^#|(^\ *$)" ` grep "^include.*filter" diald.conf | sed
-e
"s/^include\ //g"` | grep -n ".*"
or a simpler perl script:
#!/usr/bin/perl
$show_all_lines = 1; # 0 to output only rules.
@ARGV=`grep '^include.*filter' diald.conf | sed -e 's/^include\
//g'`;
$rules=1;
while(<>) {
if (/^#|(^\s*$)/) {
printf(" %s", $_) if $show_all_lines==1;
} else {
printf("%3d %s", $rules++, $_);
}
}
I haven't tried these but the attached 'number.diald.rules' script is thought to
handle included filter files quite well.
> The number separated by a comma from
> the IP address is the port number of the service used, as allocated in
> /etc/services.
OK, that's what I thought, but I don't understand why when I monitor
packets the 'to' port is usually something sensible, like '25' (SMTP),
but the 'from' port is usually something like 6586, which is way off the
end of my /etc/services list. I had wondered if it was a pid not a port,
but that didn't seem to pan out either. So why these large port numbers?
I get feeling I am missing something fundamental...
It is a port number all right. Applications which don't use what's called a
'well-known port' can allocate whatever port they like as long as the remote end
knows which port it is supposed to be listening on. Thus an applet downloaded in an
html page might well allocate an unused port like this.
> I haven't yet found a way to identify which process is responsible for each
> packet. If anyone knows how to find the PID of the process sending or receiving
> a given packet (and presumably this involves finding out which socket it is
> going to or coming from, and separately identifying the process which is using
> that socket) ... PLEASE let me know.
yes, I'd like to know that too...
I've posted questions about that to this list over and over but unfortunately it
seems that networking gurus visit this list only infrequently...
--
[EMAIL PROTECTED] Ralph Clark, Virgo Solutions Ltd (UK)
__ _
/ / (_)__ __ ____ __ * Powerful * Flexible * Compatible * Reliable *
/ /__/ / _ \/ // /\ \/ / *Well Supported * Thousands of New Users Every Day*
/____/_/_//_/\_,_/ /_/\_\ The Cost Effective Choice - Linux Means Business!
#!/usr/bin/perl
$show_all_lines = 1; # 0 to output only rules.
$location_of_diald_conf = '/etc';
$name_of_diald_conf = 'diald.conf';
$number_of_digits = 2; # For rule numbers.
$pattern_to_get_diald_filter_locations_from_diald_conf = '.*filter';
# @filter_files = &form_list_of_filter_files;
# You could start here with
# @filter_files = ("path to your filter file");
@filter_files = ("/etc/diald.conf");
&count_through_list_of_filter_files(@filter_files);
# Done. Output has erupted from STDOUT.
sub count_through_list_of_filter_files {
local (@filter_files, $indent, $rule) = @_;
$indent = " " x ($number_of_digits + 1);
while ($#filter_files > -1) {
$_ = shift(@filter_files);
# print "$_\n";
open(FILTER, $_) || die("Can't open filter\n\t$_\n\t");
while (!eof(FILTER)) {
$_ = <FILTER>;
if (&its_a_rule($_)) {
$rule += 1;
printf "%${number_of_digits}d %s", $rule, $_; }
elsif ($show_all_lines) { print $indent, $_; } }
close(FILTER); } }
sub form_list_of_filter_files {
local ($path_to_diald_conf, @filter_files);
$path_to_diald_conf = "$location_of_diald_conf/$name_of_diald_conf";
open(DIALD_CONF, "$path_to_diald_conf")
|| die("Can't open diald.conf: $path_to_diald_conf\n\t");
while (!eof(DIALD_CONF)) {
$_ = <DIALD_CONF>;
# print "$_\n";
next unless
(/$pattern_to_get_diald_filter_locations_from_diald_conf/io);
next if (/^#/);
next unless (s/^include //io);
s/\s+$//o;
next if (/\s/o);
# print "$_\n";
push (@filter_files, $_); }
close(DIALD_CONF);
if ($#filter_files < 0) { die("Can't find filter file names"
. "\n\tin $path_to_diald_conf\n\t"); }
@filter_files; }
sub its_a_rule {
local ($_, $count_it) = @_;
$count_it = 1; # This line is a rule.
if (/^#/o) { $count_it = 0; } # Not a rule.
if (/^\s*$/o) { $count_it = 0; } # Not a rule.
$count_it; }
