On 05/03/2016 06:50 AM, Bill Shirley wrote:
> I have several INLINE statements in my mangle like this:
> ; -j NFLOG --nflog-prefix "network-daemon" --nflog-group $XYZ_VPN1_NFLOG
>
> Would this be a good candidate for a NFLOG action for the mangle file?
>
> I find NFLOG in the mangle table useful for IPSEC tunnels. Due to the way
> IPSEC tunnels work,
> with 'tcpdump' you can only see what this server receives. I have to login
> to the other side
> to see what the other server receives. But with NFLOG I can tcpdump both
> sides of the conversation:
> INLINE $XYZ_VPN1_IF:$xyz_net $FW:$lan4_ip1 icmp
> { test=!0/$ND_PING_MASK } ; -j NFLOG
> --nflog-prefix "network-daemon" --nflog-group $XYZ_VPN1_NFLOG
> INLINE $FW:$lan4_ip1 $XYZ_VPN1_IF:$xyz_net icmp {
> test=!0/$ND_PING_MASK } ; -j NFLOG --nflog-prefix
> "network-daemon" --nflog-group $XYZ_VPN1_NFLOG
>
> params:
> XYZ_VPN1_NFLOG=1202
>
> then:
> tcpdump -i nflog:1202
> Will be in 5.0.9 Beta 2 Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
