[fwAnalog] HOSTEXCLUDE does not work

From: Jorma Hytönen <jorma.hytonen~AT~sicom.fi>
Date: Thu May 31 2007 - 15:23:25 CEST


Hi,
I have:

GNU/Linux Debian 4.0 (lenny/sid) kernel: 2.6.19 - as router and firewall machine

Package: fwanalog
Priority: optional
Section: net
Installed-Size: 432
Maintainer: Emanuele Rocca <ema@debian.org> Architecture: all
Version: 0.6.9-4
Depends: debconf (>= 0.5) | debconf-2.0, perl, analog (>= 5.21), mailx | mailutils, adduser
Suggests: iptables
Filename: pool/main/f/fwanalog/fwanalog_0.6.9-4_all.deb Size: 131020

My IP; 194.100.225.133
Host: datatuki.sicom.fi
Linux INTIP: 192.168.0.1

       EXTIP: 172.16.8.225 /etc/fwanalog/fwanalog.analog.conf.local includes line: # If you want to exclude blocked packets from some hosts (e.g. your private network)
HOSTEXCLUDE 172.16.8.*,192.168.0.*,194.100.225.133,datatuki.sicom.fi

And still I get reports like this:

Block statistics of your firewall, created by fwanalog 0.6.9


Analyzed blocked packets from Wed, May 30 2007 at 12:00 AM to Wed, May 30  2007 at 11:58 PM (1.00 days).


Listing blocked packets, sorted by the number of blocked packets.

#blocks: %blocks: Mbytes: last time: blocked packet

-------: -------: ------: ------------------: --------------
 15640:  96.58%:   1.90: May/30/07 11:58 PM: 172.16.8.255
 15640:  96.58%:   1.90: May/30/07 11:58 PM:   172.16.8.255/udp
 10675:  65.92%:   0.83: May/30/07 11:58 PM:     172.16.8.255:netbios-ns 

(137)/udp
4965: 30.66%: 1.07: May/30/07 11:56 PM:
172.16.8.255:netbios-dgm (138)/udp
   397:   2.45%:   0.04: May/30/07 11:40 PM: 172.16.8.225
   332:   2.05%:   0.02: May/30/07 11:40 PM:   172.16.8.225/tcp
    17:   0.10%:   0.00: May/30/07 11:40 PM:     172.16.8.225:vnc (5900)/tcp
     5:   0.03%:   0.00: May/30/07 10:47 PM:     172.16.8.225:2967/tcp
     5:   0.03%:   0.00: May/30/07  1:55 PM:     172.16.8.225:ssh (22)/tcp
     4:   0.02%:   0.00: May/30/07  1:11 PM:     172.16.8.225:smtp (25)/tcp
     4:   0.02%:   0.00: May/30/07 11:39 AM:     172.16.8.225:loc-srv 

(135)/tcp
2: 0.01%: 0.00: May/30/07 1:39 AM: 172.16.8.225:msrdp
(3389)/tcp
2: 0.01%: 0.00: May/30/07 7:09 PM: 172.16.8.225:32000/tcp
 ..
 ..
 etc.

Have anybody ideas why?

R-- Jorma

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Jorma Hytönen
Nuottakatu 4 A8
50190 MIKKELI
GSM 041 777 4403
Email: jorma.hytonen@sicom.fi
Web: http://datatuki.sicom.fi
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The hardest part of solving a problem is often formulating the right question. The answer is out there, somewhere.
-- By Espen Andersen Received on Thu May 31 15:24:01 2007

This archive was generated by hypermail 2.1.8 : Sun Jul 01 2007 - 10:22:08 CEST