[Shorewall-users] Troubleshooting multiples zones traffic

Gilson Soares g.soares@datacraft.com.br
Thu, 25 Apr 2002 11:19:00 -0300


I'd like to share a simple way of troubleshooting my recent Shorewall 
installation.

I replaced a messy ipchains fw with hundreds rules. The messy was due we 
have a lot of subnets "zones", ports, incoming, outgoing, etc to 
allow/deny, to do not disturb all apps and peace we have. I gave up trying 
to understand the previ

I gave up to convert it to shorewall and decided to send to ipchains rules 
to trash and start from scratch. With shorewall, in a matter of half day, 
everything was ok.

To face this situation I created all possible combinations between them. 
Imagine the possible traffic between FW, DMZ, ADM, TI, FIN, NET, ALL, etc. 
I created the POLICY file with dozens lines like:
fw adm REJECT info
adm fw REJECT info
fw fin REJECT info
... etc

Afterwards, in the RULES file, I setup the common traffic (www , pop, smtp, 
https and few others) to ACCEPT.

After that I just sit down and keep watching the log messages:
-It shows me the exactly from/to zone (fin2adm), source ip (I know which 
machine/user) and destination port (DPT=???). I could "tail -f 
/var/log/messages|grep <user-ip>". It was a piece of cake to fine tunning 
the rules file.

Imagine having a feature like: "shorewall [troubleshoot] start".
In this case, all zone combinations will be generated on-the-fly as a 
POLICY REJECT INFO.

Any other ideas about troubleshooting complex networks ?

Cheers
-Gilson