[Shorewall-users] Diagnosing Shorewall unused rules and cleanup them

Mon, 22 Jul 2013 06:14:46 -0700 

Dear Sirs

I looked thru archives and I didn't find the subject discussed before.

I have some Shorewall installations running for years.
I usually revise them frequently, but I have two of them with hundreds
rules to check.
It's a huge time consuming.

Considering "shorewall show" give me the iptables's counters, I can, after
one or two weeks (for example) running my rules (without resetting those
counters), see which rule has traffic passing or not.

Looking thru counter and "converting" iptables back to shorewall its quite
easy when your have couple dozens rules.

For those two where I have hundreds rules I ran a python script which
generated "COMMENT"s for each rules in /etc/shorewall/rules.

INPUT:
ACCEPT fw  net udp ntp

OUTPUT:
?COMMENT @@@ ACCEPT fw net udp ntp @@@
ACCEPT fw  net udp ntp
?COMMENT

But it's not operational because I need to replace /etc/shorewall/rules
with the commented one and it's difficult to manage in a day by day basis.
And for long rules, it exceeds the maximum length of comments.
And it's only for rules. Other iptables (masquerades, dnat, snat, etc)
created inside Shorewall does not receive those comments.

There points:

1 - Does Shorewall has something builtin to help on this ?
2 - Does anyone has a better recipe to deal with the cleanup of UNUSED
RULES ?
3 - Carter, is there a possibility to implement an option inside shorewall
to restart the rules with this "debug/comment" applied, so my rules files
stay in the same format as today? If ?comment was used in this case,
?comment could just point to the line number inside "rules", "policy", etc.

Thanks everyone
-Guilsson

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to