[Shorewall-users] 'accounting' chain always shows 0 packets on 1-interface machine

Dan Harkless shorewall-users at harkless.org
Thu Oct 9 21:01:21 PDT 2003

On October 9, 2003, Tom Eastep <teastep at shorewall.net> wrote:
> > Umm, are you sure??  The first line has "any" as the source and "eth0" as
> > the DESTINATION.  "" as the source port, and "80" as the destination (a
> > little confusing since the field order is SOURCE DEST ... DEST SOURCE).
> > That's any machine on the network, going to my external interface, hitting
> > my port 80 (from any source port).  The next line is the reverse of that.
> > That sure looks correct to me...
> >From my server (with one interface - eth0). I just threw this
> together...
> [root at lists root]# tail /etc/shorewall/accounting
> #
> #       Please see http://shorewall.net/Accounting.html for examples and
> #       additional information about how to use this file.
> #
> #                                                       PORT     PORT
> DONE    -       eth0            any             tcp     80
> DONE    -       any             eth0            tcp     -        80
> [root at lists root]# shorewall show accounting
> Shorewall-1.4.7 Chain accounting at lists.shorewall.net - Thu Oct  9
> 19:32:31 PDT 2003
> Counters reset Thu Oct  9 19:32:16 PDT 2003
> Chain accounting (3 references)
>  pkts bytes target     prot opt in     out     source              
> destination
>     8   635 RETURN     tcp  --  eth0   *           
>          tcp dpt:80
>     5  1594 RETURN     tcp  --  *      eth0           
>          tcp spt:80
> [root at lists root]# shorewall version
> 1.4.7
> [root at lists root]#
> > For the heck of it, though, I tried reversing "any" and "eth0" on the two
> > lines, restarted shorewall, generated some traffic, and still got 0 counts.
> See above.

Okay, I think I see why I wasn't seeing any results.  After reversing "eth0"
and "any" to match the order you specify above, I tried that 'GET
http://www/' command I showed before, and the counters remained 0.

However, if I generate some traffic from an *external* machine, the counts
do go up now.

Is it the case that the:

  fw              net             ACCEPT

line I have in 'policy' prevents accounting from being done on traffic
originating from the machine itself?  If so, that might be worth documenting
in Accounting.html.

I still don't understand why the order you give above is correct, though,
unless the "DEST PORT" and "SOURCE PORT" columns are just mis-labeled.

To take the second line as an example, if we're talking about traffic from
'any', going to my 'eth0' interface, why should the SOURCE PORT be 80?  If
it's traffic to my webserver, shouldn't 80 be the DEST PORT...?

> > Uhh, okay...  Guess I caught you at a bad time.  I'll hold off any followups
> > to that question until at least the port-80-only case is working.
> Thanks -- I've had a hell of a day.

My condolences.  Now that port 80 is working, I'll poke around to see if I
can get the full setup working before doing any further querying on that.

> > > > Yeah, I figured that was the reason behind it.  I just wanted to
> > > > point out that people downloading shorewall aren't likely to
> > > > maintain such a directory structure on their own machine (esp. since
> > > > they'll generally just be downloading two files per release: one
> > > > "flavor" of shorewall (e.g. RPM), plus the md5sums file).  This
> > > > requires renaming after each download to prevent future clobbering.
> > > 
> > > No comment.
> > 
> > Hmm.  I'd feel better if you'd say, "Noted, but I'm too busy to run the 'mv'
> > command once per release so all the downloaders don't have to worry about
> > file clobbering issues" than just the mysterious "No comment".
> Fine Dan -- wouldn't want to tire you fingers. I'll try to do better in
> the future....

And I wouldn't want you to tire yours!  ;^>  I'm just trying to decrease
entropy in the universe.  If you did the 'mv' once on your end, you'd save
your users (who keep multiple versions) from all having to do it on an
individual basis.

I wouldn't even have mentioned it, except that you used to do it that way
(and were still doing it for a couple versions after putting each release in
its own subdirectory).

Dan Harkless

More information about the Shorewall-users mailing list