Thread: [Fwbuilder-discussion] Logging/CLASSIFY
Brought to you by:
mikehorn
From: Chris M. <ch...@tr...> - 2006-09-28 23:05:08
|
Perhaps this is a known issue(I'm using fwb_ipt v2.1.6-b), but.... if logging is enabled and I wish to apply a CLASSIFY rule fwbuilder will generate a rule like: $IPTABLES -N Out_RULE_3 -t mangle $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 80 -j Out_RULE_3 $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 80 -j Out_RULE_3 $IPTABLES -t mangle -A Out_RULE_3 -j LOG --log-level debug --log-prefix "RULE 3 -- CLASSIFY " --log-tcp-sequence --log-tcp-options --log-ip-options $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:40 # # Rule 4 (eth0) # echo "Rule 4 (eth0)" # # # $IPTABLES -N Out_RULE_4 -t mangle $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 443 -j Out_RULE_4 $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 443 -j Out_RULE_4 $IPTABLES -t mangle -A Out_RULE_4 -j LOG --log-level debug --log-prefix "RULE 4 -- CLASSIFY " --log-tcp-sequence --log-tcp-options --log-ip-options $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30 instead of like: $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 80 -j CLASSIFY --set-class 1:40 $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:40 # # Rule 4 (eth0) # echo "Rule 4 (eth0)" # # # $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 443 -j CLASSIFY --set-class 1:30 $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 443 -j CLASSIFY --set-class 1:30 Unless I'm missing something, the rules in the first example don't really make sense. FWBuilder is applying the conditional logic to the FORWARD chain and arbitrarily applying a CLASSIFY jump from the POSTROUTING chain, which will effectively shove everything at the class param in the --set-class statement. In this case, the second "$IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30" applies. In reality, I won't be logging packets that match a CLASSIFY rule. In this case, I simply activated the *Activate logging in all rules" switch. Hope this helps. Chris |
From: <va...@vk...> - 2006-09-29 00:14:33
|
this looks like a bug. Could you open a bug report please ? I do not want to launch an opinion poll on this but I would appreciate it if people on the list made suggestions. What would be the best way to handle situations like this ? 1. I fix the compiler so that it would use the same chain POSTROUTING for all rules in the group, starting with the rule where it does matching and all the way to the rules with actions LOG and CLASSIFY. 2. Or I could make compiler ignore "log" option in combination with action Classify (but print a warning). If this is acceptable, what about other actions that go into mangle table, such as MARK and CONNMARK ? --vk On Sep 28, 2006, at 4:05 PM, Chris Malott wrote: > Perhaps this is a known issue(I'm using fwb_ipt v2.1.6-b), but.... > > if logging is enabled and I wish to apply a CLASSIFY rule fwbuilder > will > generate a rule like: > > $IPTABLES -N Out_RULE_3 -t mangle > $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 80 -j > Out_RULE_3 > $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 80 -j > Out_RULE_3 > $IPTABLES -t mangle -A Out_RULE_3 -j LOG --log-level debug > --log-prefix "RULE 3 -- CLASSIFY " --log-tcp-sequence --log-tcp- > options > --log-ip-options > $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:40 > # > # Rule 4 (eth0) > # > echo "Rule 4 (eth0)" > # > # > # > $IPTABLES -N Out_RULE_4 -t mangle > $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 443 -j > Out_RULE_4 > $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 443 -j > Out_RULE_4 > $IPTABLES -t mangle -A Out_RULE_4 -j LOG --log-level debug > --log-prefix "RULE 4 -- CLASSIFY " --log-tcp-sequence --log-tcp- > options > --log-ip-options > $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30 > > instead of like: > > $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 80 > -j CLASSIFY --set-class 1:40 > $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 > -j CLASSIFY --set-class 1:40 > # > # Rule 4 (eth0) > # > echo "Rule 4 (eth0)" > # > # > # > $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 443 > -j CLASSIFY --set-class 1:30 > $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 443 > -j CLASSIFY --set-class 1:30 > > Unless I'm missing something, the rules in the first example don't > really make sense. FWBuilder is applying the conditional logic to the > FORWARD chain and arbitrarily applying a CLASSIFY jump from the > POSTROUTING chain, which will effectively shove everything at the > class > param in the --set-class statement. In this case, the second > "$IPTABLES > -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30" applies. > > In reality, I won't be logging packets that match a CLASSIFY rule. In > this case, I simply activated the *Activate logging in all rules" > switch. > > Hope this helps. > > Chris > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys -- and earn > cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |
From: <va...@vk...> - 2006-09-30 05:09:06
|
On Sep 28, 2006, at 5:14 PM, Vadim Kurland =E2=9C=8D wrote: > > this looks like a bug. Could you open a bug report please ? > > I do not want to launch an opinion poll on this but I would > appreciate it if people on the list made suggestions. > > What would be the best way to handle situations like this ? > > 1. I fix the compiler so that it would use the same chain POSTROUTING > for all rules in the group, starting with the rule where it does > matching and all the way to the rules with actions LOG and CLASSIFY. > #1 was implemented in v2.1.6, build 130 --vk > 2. Or I could make compiler ignore "log" option in combination with > action Classify (but print a warning). If this is acceptable, what > about other actions that go into mangle table, such as MARK and > CONNMARK ? > > > --vk > > > On Sep 28, 2006, at 4:05 PM, Chris Malott wrote: > >> Perhaps this is a known issue(I'm using fwb_ipt v2.1.6-b), but.... >> >> if logging is enabled and I wish to apply a CLASSIFY rule fwbuilder >> will >> generate a rule like: >> >> $IPTABLES -N Out_RULE_3 -t mangle >> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 80 -j >> Out_RULE_3 >> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 80 -j >> Out_RULE_3 >> $IPTABLES -t mangle -A Out_RULE_3 -j LOG --log-level debug >> --log-prefix "RULE 3 -- CLASSIFY " --log-tcp-sequence --log-tcp- >> options >> --log-ip-options >> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:40 >> # >> # Rule 4 (eth0) >> # >> echo "Rule 4 (eth0)" >> # >> # >> # >> $IPTABLES -N Out_RULE_4 -t mangle >> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport =20 >> 443 -j >> Out_RULE_4 >> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport =20 >> 443 -j >> Out_RULE_4 >> $IPTABLES -t mangle -A Out_RULE_4 -j LOG --log-level debug >> --log-prefix "RULE 4 -- CLASSIFY " --log-tcp-sequence --log-tcp- >> options >> --log-ip-options >> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30 >> >> instead of like: >> >> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 80 >> -j CLASSIFY --set-class 1:40 >> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 >> -j CLASSIFY --set-class 1:40 >> # >> # Rule 4 (eth0) >> # >> echo "Rule 4 (eth0)" >> # >> # >> # >> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport =20= >> 443 >> -j CLASSIFY --set-class 1:30 >> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport =20= >> 443 >> -j CLASSIFY --set-class 1:30 >> >> Unless I'm missing something, the rules in the first example don't >> really make sense. FWBuilder is applying the conditional logic to the >> FORWARD chain and arbitrarily applying a CLASSIFY jump from the >> POSTROUTING chain, which will effectively shove everything at the >> class >> param in the --set-class statement. In this case, the second >> "$IPTABLES >> -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30" applies. >> >> In reality, I won't be logging packets that match a CLASSIFY rule. In >> this case, I simply activated the *Activate logging in all rules" >> switch. >> >> Hope this helps. >> >> Chris >> >> ---------------------------------------------------------------------=20= >> - >> --- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys -- and earn >> cash >> http://www.techsay.com/default.php? >> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >> > > > ----------------------------------------------------------------------=20= > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to =20 > share your > opinions on IT & business topics through brief surveys -- and earn =20 > cash > http://www.techsay.com/default.php?=20 > page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |
From: Chris M. <ch...@tr...> - 2006-09-29 16:47:06
|
I submitted a bug report. I agree that feedback from your user community is often invaluable and is what will continue to make FWBuilder an effective and robust program. I don't think *ignoring* the log option is the correct route to go. I guess it's conceivable somebody would want to generate a log entry when packets hit a classify rule? As far as your suggestion is concerned in item 1, I think that would work quite well. In general all CLASSIFY rules will be applied to the POSTROUTING chain, I think at one point it was a requirement(maybe it still is? I remember reading somewhere that you could also use it in the OUTPUT/FORWARD chain now). Maybe add a switch that allows the user to specify their chain preference and apply the rules accordingly based on the selection, but default to the POSTROUTING chain? Just some thoughts. Best Regards, Chris Vadim Kurland ✍ wrote: > this looks like a bug. Could you open a bug report please ? > > I do not want to launch an opinion poll on this but I would > appreciate it if people on the list made suggestions. > > What would be the best way to handle situations like this ? > > 1. I fix the compiler so that it would use the same chain POSTROUTING > for all rules in the group, starting with the rule where it does > matching and all the way to the rules with actions LOG and CLASSIFY. > > 2. Or I could make compiler ignore "log" option in combination with > action Classify (but print a warning). If this is acceptable, what > about other actions that go into mangle table, such as MARK and > CONNMARK ? > > > --vk > > > On Sep 28, 2006, at 4:05 PM, Chris Malott wrote: > >> Perhaps this is a known issue(I'm using fwb_ipt v2.1.6-b), but.... >> >> if logging is enabled and I wish to apply a CLASSIFY rule fwbuilder >> will >> generate a rule like: >> >> $IPTABLES -N Out_RULE_3 -t mangle >> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 80 -j >> Out_RULE_3 >> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 80 -j >> Out_RULE_3 >> $IPTABLES -t mangle -A Out_RULE_3 -j LOG --log-level debug >> --log-prefix "RULE 3 -- CLASSIFY " --log-tcp-sequence --log-tcp- >> options >> --log-ip-options >> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:40 >> # >> # Rule 4 (eth0) >> # >> echo "Rule 4 (eth0)" >> # >> # >> # >> $IPTABLES -N Out_RULE_4 -t mangle >> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 443 -j >> Out_RULE_4 >> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 443 -j >> Out_RULE_4 >> $IPTABLES -t mangle -A Out_RULE_4 -j LOG --log-level debug >> --log-prefix "RULE 4 -- CLASSIFY " --log-tcp-sequence --log-tcp- >> options >> --log-ip-options >> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30 >> >> instead of like: >> >> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 80 >> -j CLASSIFY --set-class 1:40 >> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 >> -j CLASSIFY --set-class 1:40 >> # >> # Rule 4 (eth0) >> # >> echo "Rule 4 (eth0)" >> # >> # >> # >> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 443 >> -j CLASSIFY --set-class 1:30 >> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 443 >> -j CLASSIFY --set-class 1:30 >> >> Unless I'm missing something, the rules in the first example don't >> really make sense. FWBuilder is applying the conditional logic to the >> FORWARD chain and arbitrarily applying a CLASSIFY jump from the >> POSTROUTING chain, which will effectively shove everything at the >> class >> param in the --set-class statement. In this case, the second >> "$IPTABLES >> -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30" applies. >> >> In reality, I won't be logging packets that match a CLASSIFY rule. In >> this case, I simply activated the *Activate logging in all rules" >> switch. >> >> Hope this helps. >> >> Chris >> >> ---------------------------------------------------------------------- >> --- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys -- and earn >> cash >> http://www.techsay.com/default.php? >> page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
From: Tom D. <td...@ro...> - 2006-09-29 18:35:56
|
On Fri, 29 Sep 2006, Chris Malott wrote: > I submitted a bug report. > > I agree that feedback from your user community is often invaluable and > is what will continue to make FWBuilder an effective and robust program= . > > I don't think *ignoring* the log option is the correct route to go. I > guess it's conceivable somebody would want to generate a log entry when > packets hit a classify rule? > > As far as your suggestion is concerned in item 1, I think that would > work quite well. In general all CLASSIFY rules will be applied to the > POSTROUTING chain, I think at one point it was a requirement(maybe it > still is? I remember reading somewhere that you could also use it in th= e > OUTPUT/FORWARD chain now). Maybe add a switch that allows the user to > specify their chain preference and apply the rules accordingly based on > the selection, but default to the POSTROUTING chain? Since I do not really understand the advantages and disadvantages to one = way or the other could someone give me a 10,000 ft overview wrt these 2 scena= rios? Regards, Tom > > Just some thoughts. > > Best Regards, > Chris > > > Vadim Kurland =FF=FF wrote: >> this looks like a bug. Could you open a bug report please ? >> >> I do not want to launch an opinion poll on this but I would >> appreciate it if people on the list made suggestions. >> >> What would be the best way to handle situations like this ? >> >> 1. I fix the compiler so that it would use the same chain POSTROUTING >> for all rules in the group, starting with the rule where it does >> matching and all the way to the rules with actions LOG and CLASSIFY. >> >> 2. Or I could make compiler ignore "log" option in combination with >> action Classify (but print a warning). If this is acceptable, what >> about other actions that go into mangle table, such as MARK and >> CONNMARK ? >> >> >> --vk >> >> >> On Sep 28, 2006, at 4:05 PM, Chris Malott wrote: >> >>> Perhaps this is a known issue(I'm using fwb_ipt v2.1.6-b), but.... >>> >>> if logging is enabled and I wish to apply a CLASSIFY rule fwbuilder >>> will >>> generate a rule like: >>> >>> $IPTABLES -N Out_RULE_3 -t mangle >>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 80 -j >>> Out_RULE_3 >>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 80 -j >>> Out_RULE_3 >>> $IPTABLES -t mangle -A Out_RULE_3 -j LOG --log-level debug >>> --log-prefix "RULE 3 -- CLASSIFY " --log-tcp-sequence --log-tcp- >>> options >>> --log-ip-options >>> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:40 >>> # >>> # Rule 4 (eth0) >>> # >>> echo "Rule 4 (eth0)" >>> # >>> # >>> # >>> $IPTABLES -N Out_RULE_4 -t mangle >>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 443 -= j >>> Out_RULE_4 >>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 443 -= j >>> Out_RULE_4 >>> $IPTABLES -t mangle -A Out_RULE_4 -j LOG --log-level debug >>> --log-prefix "RULE 4 -- CLASSIFY " --log-tcp-sequence --log-tcp- >>> options >>> --log-ip-options >>> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30 >>> >>> instead of like: >>> >>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 80 >>> -j CLASSIFY --set-class 1:40 >>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 >>> -j CLASSIFY --set-class 1:40 >>> # >>> # Rule 4 (eth0) >>> # >>> echo "Rule 4 (eth0)" >>> # >>> # >>> # >>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 44= 3 >>> -j CLASSIFY --set-class 1:30 >>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 44= 3 >>> -j CLASSIFY --set-class 1:30 >>> >>> Unless I'm missing something, the rules in the first example don't >>> really make sense. FWBuilder is applying the conditional logic to the >>> FORWARD chain and arbitrarily applying a CLASSIFY jump from the >>> POSTROUTING chain, which will effectively shove everything at the >>> class >>> param in the --set-class statement. In this case, the second >>> "$IPTABLES >>> -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30" applies. >>> >>> In reality, I won't be logging packets that match a CLASSIFY rule. In >>> this case, I simply activated the *Activate logging in all rules" >>> switch. >>> >>> Hope this helps. >>> >>> Chris >>> >>> ---------------------------------------------------------------------= - >>> --- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to >>> share your >>> opinions on IT & business topics through brief surveys -- and earn >>> cash >>> http://www.techsay.com/default.php? >>> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV >>> _______________________________________________ >>> Fwbuilder-discussion mailing list >>> Fwb...@li... >>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>> >> >> >> ----------------------------------------------------------------------= --- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to shar= e your >> opinions on IT & business topics through brief surveys -- and earn cas= h >> http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID= =3DDEVDEV >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > > -----------------------------------------------------------------------= -- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share= your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > --=20 Tom Diehl td...@ro... Spamtrap address mt...@ro... |
From: <va...@vk...> - 2006-09-29 19:10:00
|
On Sep 29, 2006, at 11:35 AM, Tom Diehl wrote: > On Fri, 29 Sep 2006, Chris Malott wrote: > >> I submitted a bug report. >> >> I agree that feedback from your user community is often invaluable =20= >> and >> is what will continue to make FWBuilder an effective and robust =20 >> program. >> >> I don't think *ignoring* the log option is the correct route to go. I >> guess it's conceivable somebody would want to generate a log entry =20= >> when >> packets hit a classify rule? >> >> As far as your suggestion is concerned in item 1, I think that would >> work quite well. In general all CLASSIFY rules will be applied to the >> POSTROUTING chain, I think at one point it was a requirement(maybe it >> still is? I remember reading somewhere that you could also use it =20 >> in the >> OUTPUT/FORWARD chain now). Maybe add a switch that allows the user to >> specify their chain preference and apply the rules accordingly =20 >> based on >> the selection, but default to the POSTROUTING chain? > > Since I do not really understand the advantages and disadvantages =20 > to one way > or the other could someone give me a 10,000 ft overview wrt these 2 =20= > scenarios? > Tom, which two scenarios you are talking about ? I've outlined two =20 possible ways to deal with a rule that has action Classify and =20 logging turned on. Chris also added that Classify target itself could =20= be used with either POSTROUTING or OUTPUT/FORWARD chain. --vk > Regards, > > Tom > >> >> Just some thoughts. >> >> Best Regards, >> Chris >> >> >> Vadim Kurland =FF=FF wrote: >>> this looks like a bug. Could you open a bug report please ? >>> >>> I do not want to launch an opinion poll on this but I would >>> appreciate it if people on the list made suggestions. >>> >>> What would be the best way to handle situations like this ? >>> >>> 1. I fix the compiler so that it would use the same chain =20 >>> POSTROUTING >>> for all rules in the group, starting with the rule where it does >>> matching and all the way to the rules with actions LOG and CLASSIFY. >>> >>> 2. Or I could make compiler ignore "log" option in combination with >>> action Classify (but print a warning). If this is acceptable, what >>> about other actions that go into mangle table, such as MARK and >>> CONNMARK ? >>> >>> >>> --vk >>> >>> >>> On Sep 28, 2006, at 4:05 PM, Chris Malott wrote: >>> >>>> Perhaps this is a known issue(I'm using fwb_ipt v2.1.6-b), but.... >>>> >>>> if logging is enabled and I wish to apply a CLASSIFY rule fwbuilder >>>> will >>>> generate a rule like: >>>> >>>> $IPTABLES -N Out_RULE_3 -t mangle >>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport =20 >>>> 80 -j >>>> Out_RULE_3 >>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport =20 >>>> 80 -j >>>> Out_RULE_3 >>>> $IPTABLES -t mangle -A Out_RULE_3 -j LOG --log-level debug >>>> --log-prefix "RULE 3 -- CLASSIFY " --log-tcp-sequence --log-tcp- >>>> options >>>> --log-ip-options >>>> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:40 >>>> # >>>> # Rule 4 (eth0) >>>> # >>>> echo "Rule 4 (eth0)" >>>> # >>>> # >>>> # >>>> $IPTABLES -N Out_RULE_4 -t mangle >>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport =20 >>>> 443 -j >>>> Out_RULE_4 >>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport =20 >>>> 443 -j >>>> Out_RULE_4 >>>> $IPTABLES -t mangle -A Out_RULE_4 -j LOG --log-level debug >>>> --log-prefix "RULE 4 -- CLASSIFY " --log-tcp-sequence --log-tcp- >>>> options >>>> --log-ip-options >>>> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30 >>>> >>>> instead of like: >>>> >>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --=20 >>>> sport 80 >>>> -j CLASSIFY --set-class 1:40 >>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --=20 >>>> dport 80 >>>> -j CLASSIFY --set-class 1:40 >>>> # >>>> # Rule 4 (eth0) >>>> # >>>> echo "Rule 4 (eth0)" >>>> # >>>> # >>>> # >>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --=20 >>>> sport 443 >>>> -j CLASSIFY --set-class 1:30 >>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --=20 >>>> dport 443 >>>> -j CLASSIFY --set-class 1:30 >>>> >>>> Unless I'm missing something, the rules in the first example don't >>>> really make sense. FWBuilder is applying the conditional logic =20 >>>> to the >>>> FORWARD chain and arbitrarily applying a CLASSIFY jump from the >>>> POSTROUTING chain, which will effectively shove everything at the >>>> class >>>> param in the --set-class statement. In this case, the second >>>> "$IPTABLES >>>> -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30" applies. >>>> >>>> In reality, I won't be logging packets that match a CLASSIFY =20 >>>> rule. In >>>> this case, I simply activated the *Activate logging in all rules" >>>> switch. >>>> >>>> Hope this helps. >>>> >>>> Chris >>>> >>>> -------------------------------------------------------------------=20= >>>> --- >>>> --- >>>> Take Surveys. Earn Cash. Influence the Future of IT >>>> Join SourceForge.net's Techsay panel and you'll get the chance to >>>> share your >>>> opinions on IT & business topics through brief surveys -- and earn >>>> cash >>>> http://www.techsay.com/default.php? >>>> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV >>>> _______________________________________________ >>>> Fwbuilder-discussion mailing list >>>> Fwb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>> >>> >>> >>> --------------------------------------------------------------------=20= >>> ----- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to =20= >>> share your >>> opinions on IT & business topics through brief surveys -- and =20 >>> earn cash >>> http://www.techsay.com/default.php?=20 >>> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV >>> _______________________________________________ >>> Fwbuilder-discussion mailing list >>> Fwb...@li... >>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >> >> ---------------------------------------------------------------------=20= >> ---- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to =20 >> share your >> opinions on IT & business topics through brief surveys -- and earn =20= >> cash >> http://www.techsay.com/default.php?=20 >> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >> > > --=20 > Tom Diehl td...@ro... Spamtrap address = mt...@ro... > > !DSPAM:451d6793248531507217398! |
From: Tom D. <td...@ro...> - 2006-09-30 05:58:58
|
On Fri, 29 Sep 2006, Vadim Kurland wrote: > > On Sep 29, 2006, at 11:35 AM, Tom Diehl wrote: > >> On Fri, 29 Sep 2006, Chris Malott wrote: >> >>> I submitted a bug report. >>> >>> I agree that feedback from your user community is often invaluable and >>> is what will continue to make FWBuilder an effective and robust program. >>> >>> I don't think *ignoring* the log option is the correct route to go. I >>> guess it's conceivable somebody would want to generate a log entry when >>> packets hit a classify rule? >>> >>> As far as your suggestion is concerned in item 1, I think that would >>> work quite well. In general all CLASSIFY rules will be applied to the >>> POSTROUTING chain, I think at one point it was a requirement(maybe it >>> still is? I remember reading somewhere that you could also use it in the >>> OUTPUT/FORWARD chain now). Maybe add a switch that allows the user to >>> specify their chain preference and apply the rules accordingly based on >>> the selection, but default to the POSTROUTING chain? >> >> Since I do not really understand the advantages and disadvantages to one >> way >> or the other could someone give me a 10,000 ft overview wrt these 2 >> scenarios? >> > > > Tom, > > which two scenarios you are talking about ? I've outlined two possible ways > to deal with a rule that has action Classify and logging turned on. Chris > also added that Classify target itself could be used with either POSTROUTING > or OUTPUT/FORWARD chain. I was referring to your ways to deal with the rule. Sorry for the confusion. Regards, Tom >>> >>> >>> Vadim Kurland wrote: >>>> this looks like a bug. Could you open a bug report please ? >>>> >>>> I do not want to launch an opinion poll on this but I would >>>> appreciate it if people on the list made suggestions. >>>> >>>> What would be the best way to handle situations like this ? >>>> >>>> 1. I fix the compiler so that it would use the same chain POSTROUTING >>>> for all rules in the group, starting with the rule where it does >>>> matching and all the way to the rules with actions LOG and CLASSIFY. >>>> >>>> 2. Or I could make compiler ignore "log" option in combination with >>>> action Classify (but print a warning). If this is acceptable, what >>>> about other actions that go into mangle table, such as MARK and >>>> CONNMARK ? >>>> >>>> >>>> --vk >>>> >>>> >>>> On Sep 28, 2006, at 4:05 PM, Chris Malott wrote: >>>> >>>>> Perhaps this is a known issue(I'm using fwb_ipt v2.1.6-b), but.... >>>>> >>>>> if logging is enabled and I wish to apply a CLASSIFY rule fwbuilder >>>>> will >>>>> generate a rule like: >>>>> >>>>> $IPTABLES -N Out_RULE_3 -t mangle >>>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 80 -j >>>>> Out_RULE_3 >>>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 80 -j >>>>> Out_RULE_3 >>>>> $IPTABLES -t mangle -A Out_RULE_3 -j LOG --log-level debug >>>>> --log-prefix "RULE 3 -- CLASSIFY " --log-tcp-sequence --log-tcp- >>>>> options >>>>> --log-ip-options >>>>> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:40 >>>>> # >>>>> # Rule 4 (eth0) >>>>> # >>>>> echo "Rule 4 (eth0)" >>>>> # >>>>> # >>>>> # >>>>> $IPTABLES -N Out_RULE_4 -t mangle >>>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport 443 -j >>>>> Out_RULE_4 >>>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport 443 -j >>>>> Out_RULE_4 >>>>> $IPTABLES -t mangle -A Out_RULE_4 -j LOG --log-level debug >>>>> --log-prefix "RULE 4 -- CLASSIFY " --log-tcp-sequence --log-tcp- >>>>> options >>>>> --log-ip-options >>>>> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30 >>>>> >>>>> instead of like: >>>>> >>>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 80 >>>>> -j CLASSIFY --set-class 1:40 >>>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 80 >>>>> -j CLASSIFY --set-class 1:40 >>>>> # >>>>> # Rule 4 (eth0) >>>>> # >>>>> echo "Rule 4 (eth0)" >>>>> # >>>>> # >>>>> # >>>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --sport 443 >>>>> -j CLASSIFY --set-class 1:30 >>>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 443 >>>>> -j CLASSIFY --set-class 1:30 >>>>> >>>>> Unless I'm missing something, the rules in the first example don't >>>>> really make sense. FWBuilder is applying the conditional logic to the >>>>> FORWARD chain and arbitrarily applying a CLASSIFY jump from the >>>>> POSTROUTING chain, which will effectively shove everything at the >>>>> class >>>>> param in the --set-class statement. In this case, the second >>>>> "$IPTABLES >>>>> -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30" applies. >>>>> >>>>> In reality, I won't be logging packets that match a CLASSIFY rule. In >>>>> this case, I simply activated the *Activate logging in all rules" >>>>> switch. >>>>> >>>>> Hope this helps. >>>>> >>>>> Chris >>>>> >>>>> ---------------------------------------------------------------------- >>>>> --- >>>>> Take Surveys. Earn Cash. Influence the Future of IT >>>>> Join SourceForge.net's Techsay panel and you'll get the chance to >>>>> share your >>>>> opinions on IT & business topics through brief surveys -- and earn >>>>> cash >>>>> http://www.techsay.com/default.php? >>>>> page=join.php&p=sourceforge&CID=DEVDEV >>>>> _______________________________________________ >>>>> Fwbuilder-discussion mailing list >>>>> Fwb...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------- >>>> Take Surveys. Earn Cash. Influence the Future of IT >>>> Join SourceForge.net's Techsay panel and you'll get the chance to share >>>> your >>>> opinions on IT & business topics through brief surveys -- and earn cash >>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >>>> _______________________________________________ >>>> Fwbuilder-discussion mailing list >>>> Fwb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>> >>> ------------------------------------------------------------------------- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to share >>> your >>> opinions on IT & business topics through brief surveys -- and earn cash >>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >>> _______________________________________________ >>> Fwbuilder-discussion mailing list >>> Fwb...@li... >>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>> >> >> -- >> Tom Diehl td...@ro... Spamtrap address >> mt...@ro... >> >> !DSPAM:451d6793248531507217398! -- Tom Diehl td...@ro... Spamtrap address mt...@ro... |
From: <va...@vk...> - 2006-09-30 06:12:47
|
On Sep 29, 2006, at 10:58 PM, Tom Diehl wrote: > On Fri, 29 Sep 2006, Vadim Kurland wrote: > >> >> On Sep 29, 2006, at 11:35 AM, Tom Diehl wrote: >> >>> On Fri, 29 Sep 2006, Chris Malott wrote: >>>> I submitted a bug report. >>>> I agree that feedback from your user community is often >>>> invaluable and >>>> is what will continue to make FWBuilder an effective and robust >>>> program. >>>> I don't think *ignoring* the log option is the correct route to >>>> go. I >>>> guess it's conceivable somebody would want to generate a log >>>> entry when >>>> packets hit a classify rule? >>>> As far as your suggestion is concerned in item 1, I think that >>>> would >>>> work quite well. In general all CLASSIFY rules will be applied >>>> to the >>>> POSTROUTING chain, I think at one point it was a requirement >>>> (maybe it >>>> still is? I remember reading somewhere that you could also use >>>> it in the >>>> OUTPUT/FORWARD chain now). Maybe add a switch that allows the >>>> user to >>>> specify their chain preference and apply the rules accordingly >>>> based on >>>> the selection, but default to the POSTROUTING chain? >>> Since I do not really understand the advantages and disadvantages >>> to one way >>> or the other could someone give me a 10,000 ft overview wrt these >>> 2 scenarios? >> >> >> Tom, >> >> which two scenarios you are talking about ? I've outlined two >> possible ways to deal with a rule that has action Classify and >> logging turned on. Chris also added that Classify target itself >> could be used with either POSTROUTING or OUTPUT/FORWARD chain. > > I was referring to your ways to deal with the rule. Sorry for the > confusion. > this actually is now a moot point since I was able to fix it in a such way that compiler honors logging option in combination with Classify action. I thought it might be difficult so I suggested that logging option could be ignored in combination with action Classify. Chris pointed that to be able to classify packets and log them at the same time is actually quite useful (for example for debugging). Packages should appear on the nightly builds site once build completes. --vk > Regards, > > Tom > >>>> Vadim Kurland wrote: >>>>> this looks like a bug. Could you open a bug report please ? >>>>> I do not want to launch an opinion poll on this but I would >>>>> appreciate it if people on the list made suggestions. >>>>> What would be the best way to handle situations like this ? >>>>> 1. I fix the compiler so that it would use the same chain >>>>> POSTROUTING >>>>> for all rules in the group, starting with the rule where it does >>>>> matching and all the way to the rules with actions LOG and >>>>> CLASSIFY. >>>>> 2. Or I could make compiler ignore "log" option in combination >>>>> with >>>>> action Classify (but print a warning). If this is acceptable, what >>>>> about other actions that go into mangle table, such as MARK and >>>>> CONNMARK ? >>>>> --vk >>>>> On Sep 28, 2006, at 4:05 PM, Chris Malott wrote: >>>>>> Perhaps this is a known issue(I'm using fwb_ipt v2.1.6-b), >>>>>> but.... >>>>>> if logging is enabled and I wish to apply a CLASSIFY rule >>>>>> fwbuilder >>>>>> will >>>>>> generate a rule like: >>>>>> $IPTABLES -N Out_RULE_3 -t mangle >>>>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport >>>>>> 80 -j >>>>>> Out_RULE_3 >>>>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport >>>>>> 80 -j >>>>>> Out_RULE_3 >>>>>> $IPTABLES -t mangle -A Out_RULE_3 -j LOG --log-level debug >>>>>> --log-prefix "RULE 3 -- CLASSIFY " --log-tcp-sequence --log-tcp- >>>>>> options >>>>>> --log-ip-options >>>>>> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:40 >>>>>> # >>>>>> # Rule 4 (eth0) >>>>>> # >>>>>> echo "Rule 4 (eth0)" >>>>>> # >>>>>> # >>>>>> # >>>>>> $IPTABLES -N Out_RULE_4 -t mangle >>>>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --sport >>>>>> 443 -j >>>>>> Out_RULE_4 >>>>>> $IPTABLES -t mangle -A FORWARD -o eth0 -p tcp -m tcp --dport >>>>>> 443 -j >>>>>> Out_RULE_4 >>>>>> $IPTABLES -t mangle -A Out_RULE_4 -j LOG --log-level debug >>>>>> --log-prefix "RULE 4 -- CLASSIFY " --log-tcp-sequence --log-tcp- >>>>>> options >>>>>> --log-ip-options >>>>>> $IPTABLES -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30 >>>>>> instead of like: >>>>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -- >>>>>> sport 80 >>>>>> -j CLASSIFY --set-class 1:40 >>>>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -- >>>>>> dport 80 >>>>>> -j CLASSIFY --set-class 1:40 >>>>>> # >>>>>> # Rule 4 (eth0) >>>>>> # >>>>>> echo "Rule 4 (eth0)" >>>>>> # >>>>>> # >>>>>> # >>>>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -- >>>>>> sport 443 >>>>>> -j CLASSIFY --set-class 1:30 >>>>>> $IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -- >>>>>> dport 443 >>>>>> -j CLASSIFY --set-class 1:30 >>>>>> Unless I'm missing something, the rules in the first example >>>>>> don't >>>>>> really make sense. FWBuilder is applying the conditional logic >>>>>> to the >>>>>> FORWARD chain and arbitrarily applying a CLASSIFY jump from the >>>>>> POSTROUTING chain, which will effectively shove everything at the >>>>>> class >>>>>> param in the --set-class statement. In this case, the second >>>>>> "$IPTABLES >>>>>> -t mangle -A POSTROUTING -j CLASSIFY --set-class 1:30" applies. >>>>>> In reality, I won't be logging packets that match a CLASSIFY >>>>>> rule. In >>>>>> this case, I simply activated the *Activate logging in all rules" >>>>>> switch. >>>>>> Hope this helps. >>>>>> Chris >>>>>> ----------------------------------------------------------------- >>>>>> ----- >>>>>> --- >>>>>> Take Surveys. Earn Cash. Influence the Future of IT >>>>>> Join SourceForge.net's Techsay panel and you'll get the chance to >>>>>> share your >>>>>> opinions on IT & business topics through brief surveys -- and >>>>>> earn >>>>>> cash >>>>>> http://www.techsay.com/default.php? >>>>>> page=join.php&p=sourceforge&CID=DEVDEV >>>>>> _______________________________________________ >>>>>> Fwbuilder-discussion mailing list >>>>>> Fwb...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>>> ------------------------------------------------------------------ >>>>> ------- >>>>> Take Surveys. Earn Cash. Influence the Future of IT >>>>> Join SourceForge.net's Techsay panel and you'll get the chance >>>>> to share your >>>>> opinions on IT & business topics through brief surveys -- and >>>>> earn cash >>>>> http://www.techsay.com/default.php? >>>>> page=join.php&p=sourceforge&CID=DEVDEV >>>>> _______________________________________________ >>>>> Fwbuilder-discussion mailing list >>>>> Fwb...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>> ------------------------------------------------------------------- >>>> ------ >>>> Take Surveys. Earn Cash. Influence the Future of IT >>>> Join SourceForge.net's Techsay panel and you'll get the chance >>>> to share your >>>> opinions on IT & business topics through brief surveys -- and >>>> earn cash >>>> http://www.techsay.com/default.php? >>>> page=join.php&p=sourceforge&CID=DEVDEV >>>> _______________________________________________ >>>> Fwbuilder-discussion mailing list >>>> Fwb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>> -- >>> Tom Diehl td...@ro... Spamtrap address mt...@ro... > > -- > Tom Diehl td...@ro... Spamtrap address mt...@ro... > > > !DSPAM:451e0806212621682281897! > |