On 07/22/2013 05:59 AM, Guilsson G wrote: > Dear Sirs > > I looked thru archives and I didn't find the subject discussed before. > > I have some Shorewall installations running for years. > I usually revise them frequently, but I have two of them with hundreds > rules to check. > It's a huge time consuming. > > Considering "shorewall show" give me the iptables's counters, I can, > after one or two weeks (for example) running my rules (without resetting > those counters), see which rule has traffic passing or not. > > Looking thru counter and "converting" iptables back to shorewall its > quite easy when your have couple dozens rules. > > For those two where I have hundreds rules I ran a python script which > generated "COMMENT"s for each rules in /etc/shorewall/rules. > > INPUT: > ACCEPT fw net udp ntp > > OUTPUT: > ?COMMENT @@@ ACCEPT fw net udp ntp @@@ > ACCEPT fw net udp ntp > ?COMMENT > > But it's not operational because I need to replace /etc/shorewall/rules > with the commented one and it's difficult to manage in a day by day > basis. And for long rules, it exceeds the maximum length of comments. > And it's only for rules. Other iptables (masquerades, dnat, snat, etc) > created inside Shorewall does not receive those comments. > > There points: > > 1 - Does Shorewall has something builtin to help on this ?
Not specifically. You can 'shorewall trace compile | less' which shows the rule(s) generated by each input line, but: - The optimizer can change/combine/delete rules. - Rules generated by Policies are emitted well after the policy file is processed. > 2 - Does anyone has a better recipe to deal with the cleanup of UNUSED > RULES ? Nothing comes to mind. > 3 - Carter, is there a possibility to implement an option inside > shorewall to restart the rules with this "debug/comment" applied, so my > rules files stay in the same format as today? If ?comment was used in > this case, ?comment could just point to the line number inside "rules", > "policy", etc. Carter? I can take a look at implementing something in 4.5.20. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
