netfilter logiing

netfilter logiing

[Junji Kanemaru]

Hi,

I have a quick question regarding netfilter logging. I'm working on
some unified system logging interface and want to get netfilter
log when some netfilter policy violation occurred.
How I can get that kind of logs? Maybe I need to write ULog filter
for that? I could be showing my ignorance though...

Thanks

-- 
Junji Kanemaru
Linuon Inc.
Tokyo Japan

Re: netfilter logiing

[Jörg Harmuth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Junji Kanemaru wrote:

| Hi,
|
| I have a quick question regarding netfilter logging. I'm working on
|  some unified system logging interface and want to get netfilter
| log when some netfilter policy violation occurred. How I can get
| that kind of logs? Maybe I need to write ULog filter for that? I
| could be showing my ignorance though...
|
| Thanks
|
The simple approach is to add a LOG rules as the _last_ rule of the
respective chain, e.g.

iptables -A INPUT -j LOG --log-prefix "Policy Violation: "

So ervery time a packet hits the policy a log entry is generated.

HTH

Joerg

- --
- -----------------------------------------------------------------------
mnemon
Jörg Harmuth
Marie-Curie.Str. 1
53359 Rheinbach

Tel.: (+49) 22 26  87 18 12
Fax:  (+49) 22 26 87 18 19
mail: harmuth@mnemon.de
Web:  http://www.mnemon.de
PGP-Key: http://www.mnemon.de/keys/harmuth_mnemon.asc
PGP-Fingerprint: 692E 4476 0838 60F8 99E2  7F5D B7D7 E48E 267B 204F
- -----------------------------------------------------------------------
Diese Mail wurde vor dem Versenden auf Viren und andere schädliche
Software untersucht. Es wurde keine maliziöse Software gefunden.

This Mail was checked for virusses and other malicious software before
sending. No malicious software was detected.
- -----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFCAj6ht9fkjiZ7IE8RArNqAKDD5ji3XfeRyEg0pAIPOOWSnc3I+wCfQ/DO
m3hNNMh+XfeApNHMrx4R0/o=
=UXRC
-----END PGP SIGNATURE-----

Re: netfilter logiing

[R. DuFresne]

On Thu, 3 Feb 2005, Junji Kanemaru wrote:

> Hi,
> 
> I have a quick question regarding netfilter logging. I'm working on
> some unified system logging interface and want to get netfilter
> log when some netfilter policy violation occurred.
> How I can get that kind of logs? Maybe I need to write ULog filter
> for that? I could be showing my ignorance though...

It would be hard for netfilter or any app to self police itself.  This
would be what an IDS would do, sit behind the netfilter firewall and sound
loud alarms and spew e-mails to all staff when somethig got past the
firewall and into terriroy it was not meant to hit.

You could log every rule or all drops and rejects, but, that tends to make
big logs and consume lots of time and be of little use unless you are
tracing a problem.  Most folks should pay more attention to logging what
has been alowed to pass the firewall then what has been blocked by it.
But a well tuned IDS can enhanced ones warm fuuzzies.  A poorly tuned IDS
will spew so many falsies that it will be ignored, so YMMV.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>