On 31/08/2011 14:56, Tom Eastep wrote:
> So it is likely to be a busybox issue. Why don't you:
>
> shorewall trace hits 2> trace
Hi, it's late, so I'm probably not thinking clearly. The trace also
hints at some log line like the one I posted I think? I think I counted
the ICMP lines in the log file and indeed there were 14?
Trace output below, help appreciated (note I'm copy/pasting over a
serial console and it wraps at odd places):
+ shift
+ hits_command
+ local finished
+ finished=0
+ local today
+ today=
+ [ 0 -eq 0 -a 0 -gt 0 ]
+ [ 0 -eq 0 ]
+ clear_term
+ [ -t 1 ]
+ clear
+ date
+ echo Shorewall 4.4.22.3 Hits at localhost - Wed Aug 31 22:52:55 UTC 2011
+ echo
+ timeout=30
+ grep -q IN=.* OUT=
+ tac /var/log/messages
+ echo HITS IP DATE
+ echo ---- --------------- ------
+ read count address month day
+ sort -rn
+ uniq -c
+ sort
+ sed s/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3 \1/
+ grep IN=.* OUT=
+ tac /var/log/messages
+ printf %7d %-15s %3s %2d\n 37 192.168.105.70 Aug 31
+ read count address month day
+ echo
+ echo HITS IP PORT
+ echo ---- --------------- -----
+ sort -rn
+ uniq -c
+ sort
+ sed s/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2 \4/
t
s/\(.*SRC=\)\(.*\)\(
DST=.*\)/\2/
+ grep IN=.* OUT=
+ tac /var/log/messages
+ read count address port
+ printf %7d %-15s %d\n 14 192.168.105.70
sh: invalid number ''
+ read count address port
+ printf %7d %-15s %d\n 1 192.168.105.70 33457
+ read count address port
+ printf %7d %-15s %d\n 1 192.168.105.70 33456
+ read count address port
...
...
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
