Re: Creating a logfile for Netfilter

[Peter Cordes]

On Fri, Jun 15, 2001 at 08:30:37PM +0200, Jean-Marc Boursot wrote:
> On Friday 15 June 2001 16:32, Stefan Srdic wrote:
> > >
> > > If you create a user defined chain something like the following:
> > >
> > > iptables -N log_droped
> > > iptables -A log_droped -j LOG --log-level 1 --log-prefix
> > > "droped_::" iptables -A log_droped -j DROP
> > >
> > > And make all your firewall rules that need to be dropped -j (jump)
> > > to this chain then they will be logged at log-level 1 (Alert).
> > >
> > > Then, if you edit /etc/syslog.conf and append the following line:
> > > kern.=alert -/var/log/firewall.log
> > > (Nb. line up with tabs)
> > >
> > > Then syslog will log all logs at level alert to the separate file. 
> > > Not much else gets logged at level alert so it should be OK and not
> > > upset other logging.
> 
> Isn't there a problem? Logs at level notice (5) and below are sent to 
> the console. If host activity is too high, console will become unusable 
> (kind of DoS).

 Use the magic sysrequest key to change to console log level, or use
setterm -msglevel.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Re: Creating a logfile for Netfilter

[Peter Cordes]

On Fri, Jun 15, 2001 at 08:30:37PM +0200, Jean-Marc Boursot wrote:
> On Friday 15 June 2001 16:32, Stefan Srdic wrote:
> > >
> > > If you create a user defined chain something like the following:
> > >
> > > iptables -N log_droped
> > > iptables -A log_droped -j LOG --log-level 1 --log-prefix
> > > "droped_::" iptables -A log_droped -j DROP
> > >
> > > And make all your firewall rules that need to be dropped -j (jump)
> > > to this chain then they will be logged at log-level 1 (Alert).
> > >
> > > Then, if you edit /etc/syslog.conf and append the following line:
> > > kern.=alert -/var/log/firewall.log
> > > (Nb. line up with tabs)
> > >
> > > Then syslog will log all logs at level alert to the separate file. 
> > > Not much else gets logged at level alert so it should be OK and not
> > > upset other logging.
> 
> Isn't there a problem? Logs at level notice (5) and below are sent to 
> the console. If host activity is too high, console will become unusable 
> (kind of DoS).

 Use the magic sysrequest key to change to console log level, or use
setterm -msglevel.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Creating a logfile for Netfilter

[Jean-Marc Boursot]

On Friday 15 June 2001 16:32, Stefan Srdic wrote:
> >
> > If you create a user defined chain something like the following:
> >
> > iptables -N log_droped
> > iptables -A log_droped -j LOG --log-level 1 --log-prefix
> > "droped_::" iptables -A log_droped -j DROP
> >
> > And make all your firewall rules that need to be dropped -j (jump)
> > to this chain then they will be logged at log-level 1 (Alert).
> >
> > Then, if you edit /etc/syslog.conf and append the following line:
> > kern.=alert -/var/log/firewall.log
> > (Nb. line up with tabs)
> >
> > Then syslog will log all logs at level alert to the separate file. 
> > Not much else gets logged at level alert so it should be OK and not
> > upset other logging.

Isn't there a problem? Logs at level notice (5) and below are sent to 
the console. If host activity is too high, console will become unusable 
(kind of DoS).

JM

Re: Creating a logfile for Netfilter

[Jean-Marc Boursot]

On Friday 15 June 2001 16:32, Stefan Srdic wrote:
> >
> > If you create a user defined chain something like the following:
> >
> > iptables -N log_droped
> > iptables -A log_droped -j LOG --log-level 1 --log-prefix
> > "droped_::" iptables -A log_droped -j DROP
> >
> > And make all your firewall rules that need to be dropped -j (jump)
> > to this chain then they will be logged at log-level 1 (Alert).
> >
> > Then, if you edit /etc/syslog.conf and append the following line:
> > kern.=alert -/var/log/firewall.log
> > (Nb. line up with tabs)
> >
> > Then syslog will log all logs at level alert to the separate file. 
> > Not much else gets logged at level alert so it should be OK and not
> > upset other logging.

Isn't there a problem? Logs at level notice (5) and below are sent to 
the console. If host activity is too high, console will become unusable 
(kind of DoS).

JM


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Creating a logfile for Netfilter

[Stefan Srdic]

[EMAIL PROTECTED] wrote:

> Here is an alternative approach which I took.  I think it is a little
> easier.
>
> If you create a user defined chain something like the following:
>
> iptables -N log_droped
> iptables -A log_droped -j LOG --log-level 1 --log-prefix "droped_::"
> iptables -A log_droped -j DROP
>
> And make all your firewall rules that need to be dropped -j (jump) to
> this chain then they will be logged at log-level 1 (Alert).
>
> Then, if you edit /etc/syslog.conf and append the following line:
> kern.=alert -/var/log/firewall.log
> (Nb. line up with tabs)
>
> Then syslog will log all logs at level alert to the separate file.  Not
> much else gets logged at level alert so it should be OK and not upset
> other logging.
>
> Thus, the firewall will log to /var/log/firewall.log - just create this
> file with touch.
>
> Hth.
> Mark.
>

Thanks for the good advice man, I re-wrote the core of my firewall last night.
Using your advice I was able to seperate distinctive services into their own
chain, filter the datagrams, and then jump all all wanted datagrams into the
LOGNDROP chain.

Now my script is a hell of a lot easier to follow and my logs are nice and neat.

Sorry about the late reply,

Stef

Re: Creating a logfile for Netfilter

[Stefan Srdic]

[EMAIL PROTECTED] wrote:

> Here is an alternative approach which I took.  I think it is a little
> easier.
>
> If you create a user defined chain something like the following:
>
> iptables -N log_droped
> iptables -A log_droped -j LOG --log-level 1 --log-prefix "droped_::"
> iptables -A log_droped -j DROP
>
> And make all your firewall rules that need to be dropped -j (jump) to
> this chain then they will be logged at log-level 1 (Alert).
>
> Then, if you edit /etc/syslog.conf and append the following line:
> kern.=alert -/var/log/firewall.log
> (Nb. line up with tabs)
>
> Then syslog will log all logs at level alert to the separate file.  Not
> much else gets logged at level alert so it should be OK and not upset
> other logging.
>
> Thus, the firewall will log to /var/log/firewall.log - just create this
> file with touch.
>
> Hth.
> Mark.
>

Thanks for the good advice man, I re-wrote the core of my firewall last night.
Using your advice I was able to seperate distinctive services into their own
chain, filter the datagrams, and then jump all all wanted datagrams into the
LOGNDROP chain.

Now my script is a hell of a lot easier to follow and my logs are nice and neat.

Sorry about the late reply,

Stef


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Creating a logfile for Netfilter

[mdevin]

On Mon, Jun 11, 2001 at 07:11:00PM +0100, Tim Haynes wrote:
> Stefan Srdic <[EMAIL PROTECTED]> writes:
> 
> > Anyway, as you can guess I am using netfilter for firewalling.
> > 
> > How can I pipe all logs from Netfilter into a single logfile?
> > 
> > Lets say I wanted all log messages from netfilter to be loged into
> > /var/log/netfilter. How could I accomplish that?
> 
> FWIW, my approach: assert a log-prefix in your logging iptables rules, and
> install syslog-ng with a regexp match to pick up your prefix (make it
> distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).
>
Here is an alternative approach which I took.  I think it is a little
easier.

If you create a user defined chain something like the following:

iptables -N log_droped
iptables -A log_droped -j LOG --log-level 1 --log-prefix "droped_::"
iptables -A log_droped -j DROP

And make all your firewall rules that need to be dropped -j (jump) to
this chain then they will be logged at log-level 1 (Alert).

Then, if you edit /etc/syslog.conf and append the following line:
kern.=alert -/var/log/firewall.log
(Nb. line up with tabs)

Then syslog will log all logs at level alert to the separate file.  Not
much else gets logged at level alert so it should be OK and not upset
other logging.

Thus, the firewall will log to /var/log/firewall.log - just create this
file with touch.

Hth.
Mark.

Re: Creating a logfile for Netfilter

[mdevin]

On Mon, Jun 11, 2001 at 07:11:00PM +0100, Tim Haynes wrote:
> Stefan Srdic <[EMAIL PROTECTED]> writes:
> 
> > Anyway, as you can guess I am using netfilter for firewalling.
> > 
> > How can I pipe all logs from Netfilter into a single logfile?
> > 
> > Lets say I wanted all log messages from netfilter to be loged into
> > /var/log/netfilter. How could I accomplish that?
> 
> FWIW, my approach: assert a log-prefix in your logging iptables rules, and
> install syslog-ng with a regexp match to pick up your prefix (make it
> distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).
>
Here is an alternative approach which I took.  I think it is a little
easier.

If you create a user defined chain something like the following:

iptables -N log_droped
iptables -A log_droped -j LOG --log-level 1 --log-prefix "droped_::"
iptables -A log_droped -j DROP

And make all your firewall rules that need to be dropped -j (jump) to
this chain then they will be logged at log-level 1 (Alert).

Then, if you edit /etc/syslog.conf and append the following line:
kern.=alert -/var/log/firewall.log
(Nb. line up with tabs)

Then syslog will log all logs at level alert to the separate file.  Not
much else gets logged at level alert so it should be OK and not upset
other logging.

Thus, the firewall will log to /var/log/firewall.log - just create this
file with touch.

Hth.
Mark.


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Creating a logfile for Netfilter

[Tim Haynes]

Johnny Morano <[EMAIL PROTECTED]> writes upside-down:

> try this one 
> http://www.spodzone.org.uk/packages/security/

Woops. Working URL is
 (I prefer the
short form; don't go around inventing wwws for me).

~Tim
-- 
4:08pm  up 2 days, 15:58,  8 users,  load average: 0.09, 0.68, 0.94
[EMAIL PROTECTED] |We all talk a different language,
http://piglet.is.dreaming.org |Talking in defence

Re: Re: Creating a logfile for Netfilter

[Johnny Morano]

try this one 
http://www.spodzone.org.uk/packages/security/



On Tuesday 12 June 2001 15:58, Tomasz Papszun wrote:
(-) On Tue, 12 Jun 2001 at  8:44:53 +0100, Tim Haynes wrote:
(-) >
(-) > found at .
(-)
(-)
(-)  404 Not Found
(-)The requested URL /packages/secure/iptables.sh was not found on this
(-)server.
(-)

-- 
--=::=- 
L . I . F . E  || the linux company
Johnny Morano  ||linux pipo
phone  ||   +32 16 208961
email  ||  [EMAIL PROTECTED]
--=::=- 
 
  
 
"wow, all the pixelated 2 dimensional women i've ever dreamt of."
 --johnny bravo

-- 
 Hi! I'm a .signature virus! copy me into your ~/.signature file to help me
 spread!

Re: Creating a logfile for Netfilter

[Tomasz Papszun]

On Tue, 12 Jun 2001 at  8:44:53 +0100, Tim Haynes wrote:
> 
> found at . 


 404 Not Found
   The requested URL /packages/secure/iptables.sh was not found on this
   server.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.

Re: Creating a logfile for Netfilter

[Tim Haynes]

Johnny Morano <[EMAIL PROTECTED]> writes upside-down:

> try this one 
> http://www.spodzone.org.uk/packages/security/

Woops. Working URL is
 (I prefer the
short form; don't go around inventing wwws for me).

~Tim
-- 
4:08pm  up 2 days, 15:58,  8 users,  load average: 0.09, 0.68, 0.94
[EMAIL PROTECTED] |We all talk a different language,
http://piglet.is.dreaming.org |Talking in defence


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Re: Creating a logfile for Netfilter

[Johnny Morano]

try this one 
http://www.spodzone.org.uk/packages/security/



On Tuesday 12 June 2001 15:58, Tomasz Papszun wrote:
(-) On Tue, 12 Jun 2001 at  8:44:53 +0100, Tim Haynes wrote:
(-) >
(-) > found at .
(-)
(-)
(-)  404 Not Found
(-)The requested URL /packages/secure/iptables.sh was not found on this
(-)server.
(-)

-- 
--=::=- 
L . I . F . E  || the linux company
Johnny Morano  ||linux pipo
phone  ||   +32 16 208961
email  ||  [EMAIL PROTECTED]
--=::=- 
 
  
 
"wow, all the pixelated 2 dimensional women i've ever dreamt of."
 --johnny bravo

-- 
 Hi! I'm a .signature virus! copy me into your ~/.signature file to help me
 spread!


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Creating a logfile for Netfilter

[Tomasz Papszun]

On Tue, 12 Jun 2001 at  8:44:53 +0100, Tim Haynes wrote:
> 
> found at . 


 404 Not Found
   The requested URL /packages/secure/iptables.sh was not found on this
   server.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Creating a logfile for Netfilter

[Tim Haynes]

Stefan Srdic <[EMAIL PROTECTED]> writes:

> Tim Haynes wrote:
> 
> > FWIW, my approach: assert a log-prefix in your logging iptables rules, and
> > install syslog-ng with a regexp match to pick up your prefix (make it
> > distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).
>
> I kinda understand what your saying, install syslog 

syslog-*ng*. 

> and configure it to divert logs that match my Netfilter log prefix into a
> separate file.
> 
> ONly I don't quiet know how to implement this, I have installed syslog-ng
> and have read the man pages, but I cant seem to figure this one out.

Righty. My regular basic start-point for an iptables firewall is to be
found at . Have a look
by all means, but the Important thing to note is that I have a `drop & log'
chain with `--log-prefix="catch-all "' asserted. Your logging rules should
also assert such a distinctive beastie as well.

The syntax of /etc/syslog-ng/syslog-ng.conf is simple enough once you get
to grips with it. What the manpage might not be so clear about is that you
have 4 things to worry about:
1) a source for where to get things from:
   source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };

2) various destinations to send things to:
   destination firewall { file("/var/log/firewall.log" 
   owner("root") group("adm") perm(0640)); };

3) some filters to selectively match what you want:
   filter f_firewall { match("catch-all .*IN=.*OUT="); };

4) a mapping such that logs coming from a source matching a filter wind
   up in a given destination:
   log { source(src); filter(f_firewall); destination(firewall); };

String those together (the default config file has lots of each, which
might be confusing), touch a 0-byte file /var/log/firewall.log, restart
syslog-ng, and life will be peachy. Hopefully ;8)

HTH,

~Tim
-- 
These are the days when you wish|[EMAIL PROTECTED]
your bed was already made.  |http://spodzone.org.uk/

Re: Creating a logfile for Netfilter

[Tim Haynes]

Stefan Srdic <[EMAIL PROTECTED]> writes:

> Tim Haynes wrote:
> 
> > FWIW, my approach: assert a log-prefix in your logging iptables rules, and
> > install syslog-ng with a regexp match to pick up your prefix (make it
> > distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).
>
> I kinda understand what your saying, install syslog 

syslog-*ng*. 

> and configure it to divert logs that match my Netfilter log prefix into a
> separate file.
> 
> ONly I don't quiet know how to implement this, I have installed syslog-ng
> and have read the man pages, but I cant seem to figure this one out.

Righty. My regular basic start-point for an iptables firewall is to be
found at . Have a look
by all means, but the Important thing to note is that I have a `drop & log'
chain with `--log-prefix="catch-all "' asserted. Your logging rules should
also assert such a distinctive beastie as well.

The syntax of /etc/syslog-ng/syslog-ng.conf is simple enough once you get
to grips with it. What the manpage might not be so clear about is that you
have 4 things to worry about:
1) a source for where to get things from:
   source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };

2) various destinations to send things to:
   destination firewall { file("/var/log/firewall.log" 
   owner("root") group("adm") perm(0640)); };

3) some filters to selectively match what you want:
   filter f_firewall { match("catch-all .*IN=.*OUT="); };

4) a mapping such that logs coming from a source matching a filter wind
   up in a given destination:
   log { source(src); filter(f_firewall); destination(firewall); };

String those together (the default config file has lots of each, which
might be confusing), touch a 0-byte file /var/log/firewall.log, restart
syslog-ng, and life will be peachy. Hopefully ;8)

HTH,

~Tim
-- 
These are the days when you wish|[EMAIL PROTECTED]
your bed was already made.  |http://spodzone.org.uk/


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Creating a logfile for Netfilter

[Stefan Srdic]

Tim Haynes wrote:

> FWIW, my approach: assert a log-prefix in your logging iptables rules, and
> install syslog-ng with a regexp match to pick up your prefix (make it
> distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).
>
> HTH,
>
> ~Tim
> --
> The blade cuts clean through|[EMAIL PROTECTED]
>   the island soil,  |http://spodzone.org.uk/
> The years roll back and |
> the world grows small   |

I kinda understand what your saying, install syslog and configure it to divert
logs that match my Netfilter log prefix into a separate file.

ONly I don't quiet know how to implement this, I have installed syslog-ng and
have read the man pages, but I cant seem to figure this one out.

Your help would be appreciated.

Thanks,

Stef

Re: Creating a logfile for Netfilter

[Stefan Srdic]

Tim Haynes wrote:

> FWIW, my approach: assert a log-prefix in your logging iptables rules, and
> install syslog-ng with a regexp match to pick up your prefix (make it
> distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).
>
> HTH,
>
> ~Tim
> --
> The blade cuts clean through|[EMAIL PROTECTED]
>   the island soil,  |http://spodzone.org.uk/
> The years roll back and |
> the world grows small   |

I kinda understand what your saying, install syslog and configure it to divert
logs that match my Netfilter log prefix into a separate file.

ONly I don't quiet know how to implement this, I have installed syslog-ng and
have read the man pages, but I cant seem to figure this one out.

Your help would be appreciated.

Thanks,

Stef


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Creating a logfile for Netfilter

[Tim Haynes]

Stefan Srdic <[EMAIL PROTECTED]> writes:

> Anyway, as you can guess I am using netfilter for firewalling.
> 
> How can I pipe all logs from Netfilter into a single logfile?
> 
> Lets say I wanted all log messages from netfilter to be loged into
> /var/log/netfilter. How could I accomplish that?

FWIW, my approach: assert a log-prefix in your logging iptables rules, and
install syslog-ng with a regexp match to pick up your prefix (make it
distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).

HTH,

~Tim
-- 
The blade cuts clean through|[EMAIL PROTECTED]
  the island soil,  |http://spodzone.org.uk/
The years roll back and |
the world grows small   |

Re: Creating a logfile for Netfilter

[Tim Haynes]

Stefan Srdic <[EMAIL PROTECTED]> writes:

> Anyway, as you can guess I am using netfilter for firewalling.
> 
> How can I pipe all logs from Netfilter into a single logfile?
> 
> Lets say I wanted all log messages from netfilter to be loged into
> /var/log/netfilter. How could I accomplish that?

FWIW, my approach: assert a log-prefix in your logging iptables rules, and
install syslog-ng with a regexp match to pick up your prefix (make it
distinctive, eg 'Catch-all: .*IN=.*OUT=' would probably be precise enough).

HTH,

~Tim
-- 
The blade cuts clean through|[EMAIL PROTECTED]
  the island soil,  |http://spodzone.org.uk/
The years roll back and |
the world grows small   |


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]