From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Mr Dash Four <mr.dash.four@googlemail.com>,
Eric Leblond <eric@regit.org>,
Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>
Subject: Re: pgsql-ulogd2
Date: Mon, 16 Jul 2012 17:28:15 +0200 [thread overview]
Message-ID: <20120716152815.GA28284@1984> (raw)
In-Reply-To: <20120716132759.GB522@breakpoint.cc>
On Mon, Jul 16, 2012 at 03:27:59PM +0200, Florian Westphal wrote:
> Mr Dash Four <mr.dash.four@googlemail.com> wrote:
> >
> > >>The specific reason I raised this issue is because on the main
> > >>firewall we have here, if I deploy ulogd2 and use NFCT at its
> > >>present form, I will get the logs from all 7 interfaces, and it
> > >>would make it an absolutely huge task to sift through all these logs
> > >>and "match" the various entries (OK, doing it through the database
> > >>will help up a bit, but not a lot).
> > >
> > >Try something like
> > >iptables -t raw -A PREROUTING (thingsyoudontwant) -j CT --ctevents related
> > What do you mean by "(thingsyoudontwant)"? How would that affect
> > tracking (sorry, I probably need to brush-up on the CT a bit)?
>
> It specifies what events to generate; Events that aren't generated can't be
> seen by NFCT. Tracking itself is not influenced.
>
> As Pablo pointed out, you could also try disabling event reporting
> completely via sysctl and only enable events for those networks/services
> you're interested in.
>
> So e.g. if you are only interested in logging the start and end
> of connections coming from 192.168.1/24 on eth0 and going out
> via eth7 you could try
>
> echo 0 > /proc/sys/net/netfilter/nf_conntrack_events
oops, sorry, this is not what I meant to say. This line above
*completely* disables events. Thus, the line below does not have effect
anymore.
> iptables -t raw -A PREROUTING -i eth0 -o eth7 \
> -s 192.168.1.0/24 -j CT --ctevents new,related,destroy
It should be hard to add some "none" for --ctevents so you can add to
the following rules below:
iptables -t raw -A PREROUTING -i eth0 -o eth7 \
-s 192.168.1.0/24 -j CT --ctevents new,related,destroy
iptables -t raw -A PREROUTING -i eth0 -o eth7 \
! -s 192.168.1.0/24 -j CT --ctevents none
Not to report events for others. Note that the "none" is missing now
in iptables.
Thus, we will only get events coming from 192.168.1.0/24.
Still, for better per-process (not global) filtering some ulogd2
filter that uses the libnetfilter_conntrack filtering based on
Berkeley Socket Filters can help.
I remember that I posted some patches long time ago to add
unicast-based ctevent. These days that could be easier by reusing the
user-space cthelper infrastructure that went into the kernel for
3.7.
next prev parent reply other threads:[~2012-07-16 15:28 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-13 14:13 pgsql-ulogd2 Mr Dash Four
2012-07-13 15:55 ` pgsql-ulogd2 Eric Leblond
2012-07-14 13:00 ` pgsql-ulogd2 Mr Dash Four
2012-07-14 21:22 ` pgsql-ulogd2 Eric Leblond
2012-07-15 12:24 ` pgsql-ulogd2 Mr Dash Four
2012-07-15 12:33 ` pgsql-ulogd2 Mr Dash Four
2012-07-15 20:52 ` pgsql-ulogd2 Eric Leblond
2012-07-15 22:36 ` pgsql-ulogd2 Mr Dash Four
2012-07-16 6:33 ` pgsql-ulogd2 Eric Leblond
2012-07-16 12:43 ` pgsql-ulogd2 Mr Dash Four
2012-07-17 23:29 ` pgsql-ulogd2 Mr Dash Four
2012-07-16 8:00 ` pgsql-ulogd2 Florian Westphal
2012-07-16 10:51 ` pgsql-ulogd2 Pablo Neira Ayuso
2012-07-16 12:52 ` pgsql-ulogd2 Mr Dash Four
2012-07-16 13:27 ` pgsql-ulogd2 Florian Westphal
2012-07-16 15:28 ` Pablo Neira Ayuso [this message]
2012-07-17 23:29 ` pgsql-ulogd2 Mr Dash Four
2012-07-16 10:49 ` pgsql-ulogd2 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120716152815.GA28284@1984 \
--to=pablo@netfilter.org \
--cc=eric@regit.org \
--cc=fw@strlen.de \
--cc=mr.dash.four@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.