Couple More Questions

Couple More Questions

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 449 bytes --]

I've read the tutorial but a couple of doubts linger.

1. Since I'm only logging rejected packets, any suggestions on getting
name resolution into the log?

2. I'm still a bit confused on the logging of the destination address.
With our one static IP, there are two possibilities. Either a packet is
intended for our IP or for another. Yet, the logs will always show the
destination address as the IP of the LAN interface. Any suggestions?

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Couple More Questions

[Robert P. J. Day]

On Thu, 30 Oct 2003, David C. Hart wrote:

> I've read the tutorial but a couple of doubts linger.
> 
> 1. Since I'm only logging rejected packets, any suggestions on getting
> name resolution into the log?

you don't need to log only rejected packets.  logging represents a
"non-terminating" rule.  you can log packets and they will continue
to be processed by subsequent rules until you decide what you want
to do with them.

rday

Re: Couple More Questions

[David C. Hart]

[-- Attachment #1: Type: text/plain, Size: 283 bytes --]

On Thu, 2003-10-30 at 14:06, Robert P. J. Day wrote:
> On Thu, 30 Oct 2003, David C. Hart wrote:
> 
> > I
Yes. I understand that. With full logging I would never attempt name
resolution but, given that we're only logging rejects, it shouldn't slow
things down to a crawl.
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Couple More Questions

[Jeffrey Laramie]

David C. Hart wrote:

>I've read the tutorial but a couple of doubts linger.
>
>1. Since I'm only logging rejected packets, any suggestions on getting
>name resolution into the log?
>  
>

I'm not clear what you want to do. Do you want to do a DNS lookup on the 
rejected packet source IP and log the source name rather than the IP? If 
so I don't know of any way to change the content of the log entries 
generated by netfilter. You could always write a script to parse the 
logs, resolve the IP, and re-log it with the name.

>2. I'm still a bit confused on the logging of the destination address.
>With our one static IP, there are two possibilities. Either a packet is
>intended for our IP or for another. Yet, the logs will always show the
>destination address as the IP of the LAN interface. Any suggestions?
>  
>
You're receiving packets from the outside world destined for your 
private lan IP address? Could you post the relevant rules from your 
chain and a few log entries that show this?

Jeff

RE: Couple More Questions

[Daniel Chemko]

2. I'm still a bit confused on the logging of the destination address.
With our one static IP, there are two possibilities. Either a packet is
intended for our IP or for another. Yet, the logs will always show the
destination address as the IP of the LAN interface. Any suggestions?

I imagine you are talking about the fact that the only packets getting
logged are those destined for the firewall machine itself. The reason
for this is that before you reach the (PREROUTING?) INPUT or FORWARD
chains, the IP layer analyses the packet to see if the packet is
destined for this machine or not. If it isn't, then the packet is
silently thrown away before reaching Netfilter.

If you DO want to receive packets in a IP layer promiscuous manner, then
you will have to set /proc/sys/net/ipv4/conf/*/rp_filter to 0. This
disables the destination IP filtering.