Re: logging -- a newbie question - Aleksandar Milivojevic

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
To: netfilter@lists.netfilter.org
Subject: Re: logging -- a newbie question
Date: Fri, 07 May 2004 09:20:56 -0500	[thread overview]
Message-ID: <409B9B48.5030706@pbl.ca> (raw)
In-Reply-To: <20040507133419.GA32666@bofh.rus.uni-stuttgart.de>

Pawel Mueller wrote:
> Hi folks,
> 
> I'm a newbie to netfilter and have a short question:
> Where can I see which packages has been DROPPED and which not? I
> remember that I once read something about /proc/net/??, but I can't find
> there what I'm searching for. Can u help please?

You need to use LOG target.  LOG target is non terminating (Netfilter
will continue matching rules from the chain).

Exactly where and how you will use it, depends on how you have
configured your firewall.  As rule of thumb, for each DROP target put
exactly the same rule with LOG target just before it.  For each chain
with DROP policy put log-all rule at the very end of the chain.

So you would have something like this wherever you have DROP target:

   - A INPUT --dport 80 -j LOG --prefix "kill http "
   - A INPUT --dport 80 -j DROP

And something like this wherever you set default policy to DROP, as the
*last* rule in the chain (and make sure you *never* insert any ACCEPT
rules after it, for the obvious reason):

   - A INPUT -j LOG --prefix "dropped in input "

Change the prefixes to whatever you want to appear in your log files.
This will be logged by the kernel, so it will apear wherever your kernel
logs go.

Note that with rules like this, any Joe Cracker can quickly fill your
disk, just by bombarding you with packets that your firewall is dropping
(and logging).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

     prev parent reply	other threads:[~2004-05-07 14:20 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-07 13:34 logging -- a newbie question Pawel Mueller
2004-05-07 13:45 ` Antony Stone
2004-05-07 14:04   ` Pawel Mueller
2004-05-07 14:19     ` Antony Stone
2004-05-07 14:19     ` Aleksandar Milivojevic
2004-05-07 14:33     ` Sven Schuster
2004-05-07 14:20 ` Aleksandar Milivojevic [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=409B9B48.5030706@pbl.ca \
    --to=amilivojevic@pbl.ca \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox