On Mon, Sep 30, 2019 at 3:28 PM Lennart Sorensen <lsore...@csclub.uwaterloo.ca> wrote: > > On Mon, Sep 30, 2019 at 03:12:49PM +0200, Vieri Di Paola wrote: > > On Mon, Sep 30, 2019 at 2:33 PM Lennart Sorensen > > <lsore...@csclub.uwaterloo.ca> wrote: > > > > > > iptables -t mangle -I PREROUTING -i enp5s0.11 -j TEE --gateway > > > > 10.215.144.7 > > > > > > That rule says traffic from enp5s0.11. Traffic from the firewall itself > > > would not match that rule. > > > > What would be the rule for traffic from the firewall itself, but only > > to the network behind enp5s0.11? > > I think something like: > > iptables -t mangle -I PREROUTING -o enp5s0.11 -j TEE --gateway 10.215.144.7 > > Might need '-i lo' as well to make it only traffic from the firewall that > counts although you might actually want traffic from elsewhere mirrored > too I would imagine.
Thanks. It works with -o and FORWARD, OUTPUT, POSTROUTING. PREROUTING is not allowed, obviously. However, I'm experiencing severe performance issues even though there does not seem to be any traffic bottleneck on the FW itself or on the collector. If I use the OUTPUT chain then I can see the FW's ICMP requests. I connect to the IDS host at 10.215.144.7 via ssh from FW, and from there do a tcpdump to see what I get. If I use -o and POSTROUTING or FORWARD then my ssh session freezes most of the time. A ping from FW to the IDS host's IP address fails most of the time. Removing this rule (-D) restores the ssh session after a short while, and the pings flow as expected. What could be the issue at hand if a monitor such as iptraf-ng does not seem to show any high traffic values on the NICs? Thanks, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
