ipchains logging too much!

R. David Whitlock ryandav at u.washington.edu
Tue Mar 20 10:50:37 PST 2001


Okay, this is a prime example of why you shouldn't be too afraid sometimes
to just wade in and do something through yourself. Writing your own
rc.firewall script is easy, and it doesn't have to be horribly,
never-endingly complicated at first. If you put things together piece by
piece and start with something more simple, you can grow it out and turn
it into something much more complex. The script you have here is going to
be very intimidating to push through to debug or _really_use_ if you don't
start by getting to know how the little bits work, and how to put it
together into something that is secure. And that's what you're doing this
for, right?

The numbers in the ends of the line indicate the number of the rule that
was followed when the denied traffic was logged, (#30) List out the rules
using some particularly useful permutation of "ipchains -L" (they end up
being entered in a very different way into the kernel than appears in this
script) and count down to find the rule, minus all the variables.
Understand the context of the rule by finding out what all the flags for
ipchains mean (read the man page, the HOWTO, or the book that robert
Zeigler published (the author of this script wrote a good book that
essentially constructs this exact script piece by piece.))

Also, you seem to be assuming that only the lines in your message are
doing any logging. All lines that start with "ipchains -A" and end in "-l"
are firewall rules being entered that will log if matched. If you look at
the script, you'll see lots of lines like this. There are LOTS of other
rules here that log than the ones listed in the "logging section". I
believe the author is simply specifying a few that didn't fit in the
context of his train of thought/programming.

If you don't already have the whole framework of this script in your head
and understand what it is that you are denying as a whole policy, looking
at a single log entry isn't going to tell you as much. The bits after the
ip address and the colon, like 42 in "128.95.112.1:42", tell you the port.
So look in /etc/services and find the descriptions of that port. This
will tell you something about the type of rule that is denying your
traffic. And of course, the ip addresses are listed in your logs in
"source, destination" pairs. This may further help you locate the rule in
this long script. 255.255.255.255 is the "broadcast destination address",
so look for rules that use that variable in the script. (BROADCAST_DEST)

Hope this helps.

-David

"What you hear isn't necessarily what was said,
what you read isn't necessarily what was written."
-Dostoevsky

On Mon, 19 Mar 2001, Benjamin Honsinger wrote:


> Ok, I understand the concept of ipchains and all that, but exactly how it works

> I don't always get. I made my rc.firewall script with the cool web generator.

> Anyway, the way I set it up to log is overkill, something is getting logged

> several times a minute. However, my /var/log/messages file is very cryptic and

> only gives me a number for PROTO= . So could someone please tell me how to stop

> my ipchains from logging the below statements (as well as what service it is

> denying):

>

> Mar 15 13:46:13 server kernel: Packet log: input DENY eth0 PROTO=17 168.99.104.12:631 255.255.255.255:631 L=170 S=0x00 I=11 F=0x0000 T=64 (#39)

> - This one happens _all_ the time

> Mar 19 12:04:58 server kernel: Packet log: input DENY eth0 PROTO=6 168.99.104.238:548 168.99.104.16:49154 L=56 S=0x00 I=57609 F=0x4000 T=255 (#38)

> - This one happens occasionally

>

> Most of the time it is denying packets from the other couple of linux machines

> I have setup here at school, occasionally it denies another computer.

>

> Below is the logging section from my rc.firewall (if you need the whole script

> it is attached)

>

> # ----------------------------------------------------------------------------

> # Enable logging for selected denied packets

>

> #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

>

> #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \

> # --destination-port $PRIVPORTS -j DENY -l

>

> #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \

> # --destination-port $UNPRIVPORTS -j DENY -l

>

>

> #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \

> # --icmp-type 5 -j DENY -l

> #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \

> # --icmp-type 13:255 -j DENY -l

>

> #ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l

>

> # ----------------------------------------------------------------------------

>

>

> Thank you very very much in advance for any help! =)

>

> - Ben





More information about the Linux mailing list