________________________________ From: Tom Eastep <[email protected]> > > Okay -- let's try this: > > a) set LOG_BACKEND=LOG in shorewall.conf > b) shorewall reload > c) shorewall iptrace -s 172.16.0.1 -p icmp > d) Try the ping that fails from fw1 > e) shorewall noiptrace -s 172.16.0.1 -p icmp > d) forward the part of the shorewall log that captures the time covered > by this test
Note that LOG_BACKEND was already set to LOG. I did not have to change that.
# grep LOG_BACKEND /etc/shorewall/shorewall.conf
LOG_BACKEND=LOG
I created the following script on "fw2" to do what you asked.
# cat sw_trace.sh
#!/bin/bash
srcip=$1
[ ${#srcip} -eq 0 ] && srcip=172.16.0.1
locif=enp10s0
echo '' > /var/log/shorewall/info.log
shorewall reset
shorewall reload
shorewall iptrace -s $srcip -p icmp
echo "Now start pinging from $srcip to 8.8.8.8 and press ENTER"
read
tcpdump -n -c 30 -i $locif icmp and host $srcip > ./tcpdump_$srcip
sleep 2
shorewall noiptrace -s $srcip -p icmp
shorewall dump > ./swdump_$srcip
cp /var/log/shorewall/info.log ./swtrace_$srcip
gzip --best ./swtrace_$srcip
I then realized that the trace dumps were incomplete, so I retrieved them from
/var/log/messages with:
grep "TRACE:" /var/log/messages
I thought LOGFILE=/var/log/shorewall/info.log was enough in shorewall.conf, but
this is the least of my problems right now. ;-)
So I hope you don't mind if I send 2 trace files. One was taken from
/var/log/shorewall/info.log, the other from /var/log/messages (according to
timestamps).
I'm attaching all the results in this and later posts (due to message size
limits in the ML).
I also did new shorewall dumps because of a few minor changes.
Any *part* file name I attach should be rebuilt with:
cat FILE.PART1 FILE.PART2 ... > FILE.gz
I did 2 tests. One was from "fw1" at 172.16.0.1, the other was from a host in
one of fw1's zones (IP addr. 10.215.144.7). Failing ping requests go to 8.8.8.8.
The tcpdump tests show that both the host at 10.215.144.7 and fw1 can ping fw2
just fine. Trying to access the providers seems to be the issue here.
Thanks,
Vieri
swdump_172.16.0.1.part1
Description: Binary data
swtrace_172.16.0.1.gz
Description: application/gzip
swtrace_172.16.0.1_TRACE.gz
Description: application/gzip
tcpdump_172.16.0.1.gz
Description: application/gzip
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
