logging -- a newbie question

logging -- a newbie question

[Pawel Mueller]

Hi folks,

I'm a newbie to netfilter and have a short question:
Where can I see which packages has been DROPPED and which not? I
remember that I once read something about /proc/net/??, but I can't find
there what I'm searching for. Can u help please?

thx
Pawel

Re: logging -- a newbie question

[Antony Stone]

On Friday 07 May 2004 2:34 pm, Pawel Mueller wrote:

> Hi folks,
>
> I'm a newbie to netfilter and have a short question:
> Where can I see which packages has been DROPPED and which not?

Netfilter LOGs what you tell it to; it doesn't log anything automatically.

Simply add a rule with the LOG target for the packets you're interested in.

See "man netfilter" for more details.

Regards,

Antony.

-- 
"The joy of X!!??  I've always hated compiling graphical shite.  You have a 10 
line program, and it ends up depending on the entire known universe."

 - Philip Hands

                                                     Please reply to the list;
                                                           please don't CC me.

Re: logging -- a newbie question

[Pawel Mueller]

Hi,

On Fri, May 07, 2004 at 02:45:38PM +0100, Antony Stone wrote:
> Netfilter LOGs what you tell it to; it doesn't log anything
> automatically.
>
> Simply add a rule with the LOG target for the packets you're
> interested in.

I didn't meant the LOG target. There must be a file where all
connections are listed. I know, because I saw it once. But it was a half
year ago, so I can't remember. I know I read it in a howto. It was one
that described, how you can debuge a firewall and it mentioned a file,
where you can see the hole ACK, SYN and ESTABLISHED or DROPED stuff for
each package (I think) that passes the firewall.

Idea?

thx
Pawel

PS: sorry, my english is terrible :-(

Re: logging -- a newbie question

[Antony Stone]

On Friday 07 May 2004 3:04 pm, Pawel Mueller wrote:

> Hi,
>
> On Fri, May 07, 2004 at 02:45:38PM +0100, Antony Stone wrote:
> > Netfilter LOGs what you tell it to; it doesn't log anything
> > automatically.
> >
> > Simply add a rule with the LOG target for the packets you're
> > interested in.
>
> I didn't meant the LOG target. There must be a file where all
> connections are listed.

You mean the connection tracking table at /proc/net/ip_conntrack

> where you can see the hole ACK, SYN and ESTABLISHED or DROPED stuff for
> each package (I think) that passes the firewall.

It won't tell you anything about packets which were dropped.

The connection tracking table tells you about connections which are currently 
established to (or through) the machine.   Dropped packets won't create 
connections, therefore they won't show up in the table.

Also remember that the table is "live" - it only shows you connections which 
are current *now* - you won't see anything about a connection five seconds 
after it gets closed.

Regards,

Antony.

-- 
All matter in the Universe can be placed into one of two categories:

1. Things which need to be fixed.
2. Things which need to be fixed once you've had a few minutes to play with 
them.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: logging -- a newbie question

[Aleksandar Milivojevic]

Pawel Mueller wrote:
> I didn't meant the LOG target. There must be a file where all
> connections are listed. I know, because I saw it once. But it was a half
> year ago, so I can't remember. I know I read it in a howto. It was one
> that described, how you can debuge a firewall and it mentioned a file,
> where you can see the hole ACK, SYN and ESTABLISHED or DROPED stuff for
> each package (I think) that passes the firewall.

AFAIK, no such thing.  "netstat -a" will show you states of current 
connections to/from local machine.  tcpdump is your friend while 
debugging firewalls.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: logging -- a newbie question

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

On Fri, May 07, 2004 at 04:04:37PM +0200, Pawel Mueller told us:
> Hi,
> 
> I didn't meant the LOG target. There must be a file where all
> connections are listed. I know, because I saw it once. But it was a half
> year ago, so I can't remember. I know I read it in a howto. It was one
> that described, how you can debuge a firewall and it mentioned a file,
> where you can see the hole ACK, SYN and ESTABLISHED or DROPED stuff for
> each package (I think) that passes the firewall.
> 
> Idea?

You probably mean /proc/net/ip_conntrack where all tracked 
connections are listed. But be aware that this file will exist only
if connection tracking is in the kernel, e.g. statically compiled in 
or the ip_conntrack module is loaded.

HTH

Sven

> 
> thx
> Pawel
> 
> PS: sorry, my english is terrible :-(

-- 
Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386 GNU/Linux
 16:32:17  up 1 day, 16:27,  1 user,  load average: 0.06, 0.04, 0.01

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: logging -- a newbie question

[Aleksandar Milivojevic]

Pawel Mueller wrote:
> Hi folks,
> 
> I'm a newbie to netfilter and have a short question:
> Where can I see which packages has been DROPPED and which not? I
> remember that I once read something about /proc/net/??, but I can't find
> there what I'm searching for. Can u help please?

You need to use LOG target.  LOG target is non terminating (Netfilter
will continue matching rules from the chain).

Exactly where and how you will use it, depends on how you have
configured your firewall.  As rule of thumb, for each DROP target put
exactly the same rule with LOG target just before it.  For each chain
with DROP policy put log-all rule at the very end of the chain.

So you would have something like this wherever you have DROP target:

   - A INPUT --dport 80 -j LOG --prefix "kill http "
   - A INPUT --dport 80 -j DROP

And something like this wherever you set default policy to DROP, as the
*last* rule in the chain (and make sure you *never* insert any ACCEPT
rules after it, for the obvious reason):

   - A INPUT -j LOG --prefix "dropped in input "

Change the prefixes to whatever you want to appear in your log files.
This will be logged by the kernel, so it will apear wherever your kernel
logs go.

Note that with rules like this, any Joe Cracker can quickly fill your
disk, just by bombarding you with packets that your firewall is dropping
(and logging).

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7