ipchains logging too much!

Benjamin Honsinger Honsinger at whs.wsd.wednet.edu
Tue Mar 20 12:04:36 PST 2001


I guess you guys aren't going to let me get by the easy way! <sigh>. You're
probably right, I'll try and write the script myself. It's just that seeing the
finished product that Zeigler comes up with is kind of overwhelming and looks
really hard to do. I'm sure I'll learn more doing it myself, which is really
why I'm doing this anyway. Thanks for the help, it will be a good starting
point. Also, I am doing this all from a console, so I dont' have to worry about
locking myself out (I've done that with portsentry though =) I'm sure I'll be
sending more to the list on this, even though I'll try and find the answer to
any questions myself first. One last question, anyone know why cups shows other
computers using cups as printers? One of the things that was getting logged a
lot was the Internet Printing Protocol, cups apparently is continually asking
other computers about this.

- Ben

On Tue, 20 Mar 2001, you wrote:

> Okay, this is a prime example of why you shouldn't be too afraid sometimes

> to just wade in and do something through yourself. Writing your own

> rc.firewall script is easy, and it doesn't have to be horribly,

> never-endingly complicated at first. If you put things together piece by

> piece and start with something more simple, you can grow it out and turn

> it into something much more complex. The script you have here is going to

> be very intimidating to push through to debug or _really_use_ if you don't

> start by getting to know how the little bits work, and how to put it

> together into something that is secure. And that's what you're doing this

> for, right?

>

> The numbers in the ends of the line indicate the number of the rule that

> was followed when the denied traffic was logged, (#30) List out the rules

> using some particularly useful permutation of "ipchains -L" (they end up

> being entered in a very different way into the kernel than appears in this

> script) and count down to find the rule, minus all the variables.

> Understand the context of the rule by finding out what all the flags for

> ipchains mean (read the man page, the HOWTO, or the book that robert

> Zeigler published (the author of this script wrote a good book that

> essentially constructs this exact script piece by piece.))

>

> Also, you seem to be assuming that only the lines in your message are

> doing any logging. All lines that start with "ipchains -A" and end in "-l"

> are firewall rules being entered that will log if matched. If you look at

> the script, you'll see lots of lines like this. There are LOTS of other

> rules here that log than the ones listed in the "logging section". I

> believe the author is simply specifying a few that didn't fit in the

> context of his train of thought/programming.

>

> If you don't already have the whole framework of this script in your head

> and understand what it is that you are denying as a whole policy, looking

> at a single log entry isn't going to tell you as much. The bits after the

> ip address and the colon, like 42 in "128.95.112.1:42", tell you the port.

> So look in /etc/services and find the descriptions of that port. This

> will tell you something about the type of rule that is denying your

> traffic. And of course, the ip addresses are listed in your logs in

> "source, destination" pairs. This may further help you locate the rule in

> this long script. 255.255.255.255 is the "broadcast destination address",

> so look for rules that use that variable in the script. (BROADCAST_DEST)

>

> Hope this helps.

>

> -David

>

> "What you hear isn't necessarily what was said,

> what you read isn't necessarily what was written."

> -Dostoevsky

>

> On Mon, 19 Mar 2001, Benjamin Honsinger wrote:

>

> > Ok, I understand the concept of ipchains and all that, but exactly how it works

> > I don't always get. I made my rc.firewall script with the cool web generator.

> > Anyway, the way I set it up to log is overkill, something is getting logged

> > several times a minute. However, my /var/log/messages file is very cryptic and

> > only gives me a number for PROTO= . So could someone please tell me how to stop

> > my ipchains from logging the below statements (as well as what service it is

> > denying):

> >

> > Mar 15 13:46:13 server kernel: Packet log: input DENY eth0 PROTO=17 168.99.104.12:631 255.255.255.255:631 L=170 S=0x00 I=11 F=0x0000 T=64 (#39)

> > - This one happens _all_ the time

> > Mar 19 12:04:58 server kernel: Packet log: input DENY eth0 PROTO=6 168.99.104.238:548 168.99.104.16:49154 L=56 S=0x00 I=57609 F=0x4000 T=255 (#38)

> > - This one happens occasionally

> >

> > Most of the time it is denying packets from the other couple of linux machines

> > I have setup here at school, occasionally it denies another computer.

> >

> > Below is the logging section from my rc.firewall (if you need the whole script

> > it is attached)

> >

> > # ----------------------------------------------------------------------------

> > # Enable logging for selected denied packets

> >

> > #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

> >

> > #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \

> > # --destination-port $PRIVPORTS -j DENY -l

> >

> > #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \

> > # --destination-port $UNPRIVPORTS -j DENY -l

> >

> >

> > #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \

> > # --icmp-type 5 -j DENY -l

> > #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \

> > # --icmp-type 13:255 -j DENY -l

> >

> > #ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l

> >

> > # ----------------------------------------------------------------------------

> >

> >

> > Thank you very very much in advance for any help! =)

> >

> > - Ben



More information about the Linux mailing list