[Shorewall-users] 'accounting' chain always shows 0 packets on 1-interface machine

Dan Harkless shorewall at harkless.org
Thu Oct 9 19:30:35 PDT 2003


On October 9, 2003, Tom Eastep <teastep at shorewall.net> wrote:
> Works fine here -- just be sure that the Destination column is blank or
> contains "all", "any" or "-".

Ah.  The accounting documentation doesn't say anything about that.  It says
you can use:

  The name of an interface, an address (host or net) or an interface name
  followed by ":" and a host or net address.

Perhaps in your definition, "all", "any", and "-" count as "an address", but
that could be made a whole bunch more clear.

That didn't help, though:

  www-root> diff -u accounting.orig accounting
  --- accounting.orig     2003-10-06 15:14:39.000000000 -0700
  +++ accounting  2003-10-09 18:09:46.000000000 -0700
  @@ -69,5 +69,7 @@
   #
   #ACTION        CHAIN   SOURCE          DESTINATION     PROTO   DEST           SOURCE
   #                                                      PORT            PORT
  +DONE   -       any             eth0            tcp     80
  +DONE   -       eth0            any             tcp     -               80
   #
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
  www-root> GET http://www/ | head -4
  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
  <HTML>
   <HEAD>
    <TITLE>Harkless.org -- The website of the Harkless family</TITLE>
  www-root> shorewall show accounting
  Shorewall-1.4.7 Chain accounting at www - Thu Oct  9 18:17:12 PDT 2003

  Counters reset Thu Oct  9 18:09:52 PDT 2003

  Chain accounting (3 references)
   pkts bytes target     prot opt in     out     source               destination
      0     0 RETURN     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          tcp dpt:80
	0     0 RETURN     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          tcp spt:80

Other relevant configuration info:

  www-root> ip addr show
  1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
  2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
      link/ether 00:50:2c:02:fb:88 brd ff:ff:ff:ff:ff:ff
      inet 207.12.255.2/24 brd 207.12.255.255 scope global eth0
  www-root> ip route show
  207.12.255.0/24 dev eth0  scope link
  169.254.0.0/16 dev eth0  scope link
  127.0.0.0/8 dev lo  scope link
  default via 207.12.255.1 dev eth0

(That 169.254.0.0/16 scared the hell out of me until I did some research and
found out it's some sort of goofy Windows interoperability thing Red Hat
stuck in in version 9.  I now have NOZEROCONF=yes in 
/etc/sysconfig/network-scripts/ifcfg-eth0 to get rid of it next time I
reboot.)

  www-root> diff -u interfaces.orig interfaces
  --- interfaces.orig     2003-10-06 15:14:39.000000000 -0700
  +++ interfaces  2003-10-09 15:51:23.000000000 -0700
  @@ -142,4 +142,6 @@
   #                      net     ppp0    -
   ##############################################################################
   #ZONE   INTERFACE      BROADCAST       OPTIONS
  +net    eth0            detect          routefilter,tcpflags
  +#net   eth0            detect          tcpflags
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
  www-root> diff -u policy.orig policy
  --- policy.orig 2003-10-06 15:14:39.000000000 -0700
  +++ policy      2003-10-09 15:56:17.000000000 -0700
  @@ -73,7 +73,7 @@
   ###############################################################################
   #SOURCE                DEST            POLICY          LOG             LIMIT:BURST
   #                                              LEVEL
  -loc            net             ACCEPT
  +fw             net             ACCEPT
   net            all             DROP            info
   #
   # THE FOLLOWING POLICY MUST BE LAST
  www-root> diff -u rules.orig rules | fgrep 80
  +ACCEPT net             fw              tcp     80
  www-root> diff -u zones.orig zones
  --- zones.orig  2003-10-06 15:14:39.000000000 -0700
  +++ zones       2003-10-09 16:01:58.000000000 -0700
  @@ -14,6 +14,4 @@
   #
   #ZONE  DISPLAY         COMMENTS
   net    Net             Internet
  -loc    Local           Local networks
  -dmz    DMZ             Demilitarized zone
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

> > What I'd ultimately like is a setup that allows me to see a count for
> > HTTP/HTTPS traffic, a count for SMTP/SMTPS traffic, and a general count of
> > all traffic going in and out of the machine.  Damned if I can figure out how
> > to do this from the docs, though.

Any comment on this?  Even if I can get this working for port 80, it's still
not clear to me what the right syntax would be to have dedicated chains for
a few protocols and then a "master" chain counting all traffic.
Accounting.html could use another example or two.

> > Also, one unrelated question.  Was it intentional that starting with
> > shorewall 1.4.6c, the MD5 sums file is now just called "md5sums", rather
> > than, e.g. "1.4.6c.md5sums", like it used to be?  This is annoying because I
> > download all my versions of shorewall to a single directory, meaning I must
> > remember to rename "md5sums" after downloading it, so I don't clobber it
> > next time.  (I like to keep the old versions around in case I ever need to
> > downgrade, diff old vs. new versions, etc.)
> 
> Since each release now has it's own directory that contains all of the
> files, I just haven't bothered to uniquely rename the md5sum files.

Yeah, I figured that was the reason behind it.  I just wanted to point out
that people downloading shorewall aren't likely to maintain such a directory
structure on their own machine (esp. since they'll generally just be
downloading two files per release: one "flavor" of shorewall (e.g. RPM),
plus the md5sums file).  This requires renaming after each download to
prevent future clobbering.

--
Dan Harkless
http://harkless.org/dan/


More information about the Shorewall-users mailing list