[Shorewall-users] Troubleshooting multiples zones traffic
Thu, 25 Apr 2002 11:19:00 -0300
I'd like to share a simple way of troubleshooting my recent Shorewall
I replaced a messy ipchains fw with hundreds rules. The messy was due we
have a lot of subnets "zones", ports, incoming, outgoing, etc to
allow/deny, to do not disturb all apps and peace we have. I gave up trying
to understand the previ
I gave up to convert it to shorewall and decided to send to ipchains rules
to trash and start from scratch. With shorewall, in a matter of half day,
everything was ok.
To face this situation I created all possible combinations between them.
Imagine the possible traffic between FW, DMZ, ADM, TI, FIN, NET, ALL, etc.
I created the POLICY file with dozens lines like:
fw adm REJECT info
adm fw REJECT info
fw fin REJECT info
Afterwards, in the RULES file, I setup the common traffic (www , pop, smtp,
https and few others) to ACCEPT.
After that I just sit down and keep watching the log messages:
-It shows me the exactly from/to zone (fin2adm), source ip (I know which
machine/user) and destination port (DPT=???). I could "tail -f
/var/log/messages|grep <user-ip>". It was a piece of cake to fine tunning
the rules file.
Imagine having a feature like: "shorewall [troubleshoot] start".
In this case, all zone combinations will be generated on-the-fly as a
POLICY REJECT INFO.
Any other ideas about troubleshooting complex networks ?