ipchains logging too much!

Mike mike at boobaz.net
Tue Mar 20 11:06:00 PST 2001


Nice response. As a caveat, most any person who's built firewall rules
from scratch would be wise in warning you to *only apply the changes
locally*. Otherwise you'll invariably be so secure that you've just locked
yourself out and will have to wait until you get physical access to the
computer to fix it. =)

---------------------------
-=<(| mike at boobaz.net |)>=-

On Tue, 20 Mar 2001 at 10:50, R. David Whitlock wrote:


|Okay, this is a prime example of why you shouldn't be too afraid sometimes

|to just wade in and do something through yourself. Writing your own

|rc.firewall script is easy, and it doesn't have to be horribly,

|never-endingly complicated at first. If you put things together piece by

|piece and start with something more simple, you can grow it out and turn

|it into something much more complex. The script you have here is going to

|be very intimidating to push through to debug or _really_use_ if you don't

|start by getting to know how the little bits work, and how to put it

|together into something that is secure. And that's what you're doing this

|for, right?

|

|The numbers in the ends of the line indicate the number of the rule that

|was followed when the denied traffic was logged, (#30) List out the rules

|using some particularly useful permutation of "ipchains -L" (they end up

|being entered in a very different way into the kernel than appears in this

|script) and count down to find the rule, minus all the variables.

|Understand the context of the rule by finding out what all the flags for

|ipchains mean (read the man page, the HOWTO, or the book that robert

|Zeigler published (the author of this script wrote a good book that

|essentially constructs this exact script piece by piece.))

|

|Also, you seem to be assuming that only the lines in your message are

|doing any logging. All lines that start with "ipchains -A" and end in "-l"

|are firewall rules being entered that will log if matched. If you look at

|the script, you'll see lots of lines like this. There are LOTS of other

|rules here that log than the ones listed in the "logging section". I

|believe the author is simply specifying a few that didn't fit in the

|context of his train of thought/programming.

|

|If you don't already have the whole framework of this script in your head

|and understand what it is that you are denying as a whole policy, looking

|at a single log entry isn't going to tell you as much. The bits after the

|ip address and the colon, like 42 in "128.95.112.1:42", tell you the port.

|So look in /etc/services and find the descriptions of that port. This

|will tell you something about the type of rule that is denying your

|traffic. And of course, the ip addresses are listed in your logs in

|"source, destination" pairs. This may further help you locate the rule in

|this long script. 255.255.255.255 is the "broadcast destination address",

|so look for rules that use that variable in the script. (BROADCAST_DEST)

|

|Hope this helps.

|

|-David

|

| "What you hear isn't necessarily what was said,

| what you read isn't necessarily what was written."

| -Dostoevsky

|

|On Mon, 19 Mar 2001, Benjamin Honsinger wrote:

|

|> Ok, I understand the concept of ipchains and all that, but exactly how it works

|> I don't always get. I made my rc.firewall script with the cool web generator.

|> Anyway, the way I set it up to log is overkill, something is getting logged

|> several times a minute. However, my /var/log/messages file is very cryptic and

|> only gives me a number for PROTO= . So could someone please tell me how to stop

|> my ipchains from logging the below statements (as well as what service it is

|> denying):

|>

|> Mar 15 13:46:13 server kernel: Packet log: input DENY eth0 PROTO=17 168.99.104.12:631 255.255.255.255:631 L=170 S=0x00 I=11 F=0x0000 T=64 (#39)

|> - This one happens _all_ the time

|> Mar 19 12:04:58 server kernel: Packet log: input DENY eth0 PROTO=6 168.99.104.238:548 168.99.104.16:49154 L=56 S=0x00 I=57609 F=0x4000 T=255 (#38)

|> - This one happens occasionally

|>

|> Most of the time it is denying packets from the other couple of linux machines

|> I have setup here at school, occasionally it denies another computer.

|>

|> Below is the logging section from my rc.firewall (if you need the whole script

|> it is attached)

|>

|> # ----------------------------------------------------------------------------

|> # Enable logging for selected denied packets

|>

|> #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

|>

|> #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \

|> # --destination-port $PRIVPORTS -j DENY -l

|>

|> #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \

|> # --destination-port $UNPRIVPORTS -j DENY -l

|>

|>

|> #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \

|> # --icmp-type 5 -j DENY -l

|> #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \

|> # --icmp-type 13:255 -j DENY -l

|>

|> #ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l

|>

|> # ----------------------------------------------------------------------------

|>

|>

|> Thank you very very much in advance for any help! =)

|>

|> - Ben

|

|




More information about the Linux mailing list