On 11/20/2012 08:18 PM, Mr Dash Four wrote:
>> Patch attached. The new suffixes are:
>>
>> :U (UNTRACKED)
>> :NU (NEW,UNTRACKED)
>> :NIU (NEW,INVALID,UNTRACKED)
> The patch does its job to perfection.
>
Good
>
>> Patch attached. Adds a DROP action to the format-2 conntrack file.
> That, in general, does not work:
>
> I am not sure what I am supposed to put in the SOURCE/DESTINATION
columns as a "zone" when in reality I don't care which "zone" this is in
(and I don't think "all" is appropriate). For example, if I want to
emulate "-t raw -I PREROUTING 1 -m set --match-set baddies-set src -j
DROP" as well as "-t raw -I OUTPUT 1 -m set --match-set baddies-set dst
-j DROP" I tried the following:
>
> 1.
> DROP +baddies-set
> DROP - +baddies-set
>
> Doesn't work - it is asking me for a zone to put in...
>
> 2.
> DROP $FW:+baddies-set
> DROP - $FW:+baddies-set
>
> Moans about unknown zone ("-")...
A careful reading of the manpage reveals that a zone is required in the
SOURCE column (and 'all' is appropriate for your use) while a zone is
disallowed in the DESTINATION column (remember that the packet hasn't
been routed yet so the destination zone is as yet unknown).
Note: When a destination interface is specified, the generated script
has to use the routing table to produce a list of destination networks,
then generates one rule for each network.
>
> 3.
> DROP $FW:+baddies-set
> DROP all $FW:+baddies-set
>
> I am getting "ERROR: Unknown Interface (fw)" error...
Again, no zone in the DESTINATION column.
>
> Further on this - a few suggestions to extend this file's functionality:
>
> 1. I am not sure whether I could use custom action in this file, but
it would be very handy if I could. Why? Because if I wish to use such
action for creating packet logs to multiple (understand 3) destinations
for example, then instead of having 3 separate LOG/NFLOG statements
*and* their associate conditionals, I could just have one conditional +
custom action, which should, in theory, be translated to a single jump
to the corresponding custom-action chain where the multiple packet logs
take place.
The implementation of actions is heavily integrated with processing of
the rules file and is not available in other files. That's one of the
items on my wish list but it will require a large effort.
>
> 2. If possible, could you include a SWITCH column (similar to what
> you already have in "rules") so that this particular rule is switched on/off
if/when desired.
>
> Finally, a side issue I've been having, which up until now was a bit
of a mystery to me - until I had a proper look at my (default) conntrack
file, that is: every time shorewall starts, I get a group of rather
annoying syslog messages like so:
> xt_CT: No such helper "sane"
> xt_CT: No such helper "sane-0"
> xt_CT: No such helper "tftp"
> xt_CT: No such helper "tftp-0"
> xt_CT: No such helper "pptp"
> xt_CT: No such helper "sip"
> xt_CT: No such helper "sip-0"
> xt_CT: No such helper "snmp"
> xt_CT: No such helper "netbios-ns"
> xt_CT: No such helper "ftp"
> xt_CT: No such helper "ftp-0"
> xt_CT: No such helper "irc"
> xt_CT: No such helper "irc-0"
> xt_CT: No such helper "amanda"
>
> I knew these may have resulted from the fact that I have
> intentionally
disabled (and forcibly removed!) all conntrack kernel helper modules.
Until I had a look at the conntrack file, I thought that they were
caused by shorewall trying to load the ct kernel helper modules, but
after seeing all those conditionals in "conntrack" I am not so sure. Is
there any way I could get rid of these messages? Am I doing something wrong?
These messages are a result of Shorewall probing the system to determine
what helpers are available.
There are two ways to suppress them:
- set LOAD_HELPERS_ONLY=Yes in shorewall.conf.
- generate a capabilities file (shorewall show -f capabilities >
${CONFDIR}/shorewall/capabilities), then edit the file to turn off
HELPER_MATCH (set the variable to the empty value).
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
