ipchains logging too much!

M. Scholz msperrin at u.washington.edu
Tue Mar 20 18:48:18 PST 2001


Just to make your life easier...

_assuming_ that the script is secure as is, and you know what you're doing
with ipchains rules...
you can add a rule before the one that is causing the logging to
deny a specific port w/o logging. The best way to do this is to do as
specific as possible a deny rule. This is to make sure that you know who
you're not logging so that if you are being attacked later in time, you
will be able to see all of the ports...

The rule would look something like this:

ipchains -a deny -p udp -s 168.99.104.16 --sport $UNPRIVPORTS -j DENY
(protocol) Source address (Source Ports) Policy deny

This is assuming that protocol 17 is udp, and that I remember the order of
source and destination addresses. ipchains reads the rules sequentially,
so as long as the specific rules are first, they will be checked first.
Again, make sure to make the rule as specific as possible, otherwise you
will be in trouble later. And remember to comment your code, I usually
date, and explain each rule, just so I remember later....

Hope that helped a little for a quick dirty fix. I think David and Mike
are right for the long run though. If you don't write your own, at least
break down the one you have a couple of times to understand it.

have fun.


If you're happy and you know it....

-Matthew Scholz

On Tue, 20 Mar 2001, Benjamin Honsinger wrote:


> I guess you guys aren't going to let me get by the easy way! <sigh>. You're

> probably right, I'll try and write the script myself. It's just that seeing the

> finished product that Zeigler comes up with is kind of overwhelming and looks

> really hard to do. I'm sure I'll learn more doing it myself, which is really

> why I'm doing this anyway. Thanks for the help, it will be a good starting

> point. Also, I am doing this all from a console, so I dont' have to worry about

> locking myself out (I've done that with portsentry though =) I'm sure I'll be

> sending more to the list on this, even though I'll try and find the answer to

> any questions myself first. One last question, anyone know why cups shows other

> computers using cups as printers? One of the things that was getting logged a

> lot was the Internet Printing Protocol, cups apparently is continually asking

> other computers about this.

>

> - Ben

>

> On Tue, 20 Mar 2001, you wrote:

> > Okay, this is a prime example of why you shouldn't be too afraid sometimes

> > to just wade in and do something through yourself. Writing your own

> > rc.firewall script is easy, and it doesn't have to be horribly,

> > never-endingly complicated at first. If you put things together piece by

> > piece and start with something more simple, you can grow it out and turn

> > it into something much more complex. The script you have here is going to

> > be very intimidating to push through to debug or _really_use_ if you don't

> > start by getting to know how the little bits work, and how to put it

> > together into something that is secure. And that's what you're doing this

> > for, right?

> >

> > The numbers in the ends of the line indicate the number of the rule that

> > was followed when the denied traffic was logged, (#30) List out the rules

> > using some particularly useful permutation of "ipchains -L" (they end up

> > being entered in a very different way into the kernel than appears in this

> > script) and count down to find the rule, minus all the variables.

> > Understand the context of the rule by finding out what all the flags for

> > ipchains mean (read the man page, the HOWTO, or the book that robert

> > Zeigler published (the author of this script wrote a good book that

> > essentially constructs this exact script piece by piece.))

> >

> > Also, you seem to be assuming that only the lines in your message are

> > doing any logging. All lines that start with "ipchains -A" and end in "-l"

> > are firewall rules being entered that will log if matched. If you look at

> > the script, you'll see lots of lines like this. There are LOTS of other

> > rules here that log than the ones listed in the "logging section". I

> > believe the author is simply specifying a few that didn't fit in the

> > context of his train of thought/programming.

> >

> > If you don't already have the whole framework of this script in your head

> > and understand what it is that you are denying as a whole policy, looking

> > at a single log entry isn't going to tell you as much. The bits after the

> > ip address and the colon, like 42 in "128.95.112.1:42", tell you the port.

> > So look in /etc/services and find the descriptions of that port. This

> > will tell you something about the type of rule that is denying your

> > traffic. And of course, the ip addresses are listed in your logs in

> > "source, destination" pairs. This may further help you locate the rule in

> > this long script. 255.255.255.255 is the "broadcast destination address",

> > so look for rules that use that variable in the script. (BROADCAST_DEST)

> >

> > Hope this helps.

> >

> > -David

> >

> > "What you hear isn't necessarily what was said,

> > what you read isn't necessarily what was written."

> > -Dostoevsky

> >

> > On Mon, 19 Mar 2001, Benjamin Honsinger wrote:

> >

> > > Ok, I understand the concept of ipchains and all that, but exactly how it works

> > > I don't always get. I made my rc.firewall script with the cool web generator.

> > > Anyway, the way I set it up to log is overkill, something is getting logged

> > > several times a minute. However, my /var/log/messages file is very cryptic and

> > > only gives me a number for PROTO= . So could someone please tell me how to stop

> > > my ipchains from logging the below statements (as well as what service it is

> > > denying):

> > >

> > > Mar 15 13:46:13 server kernel: Packet log: input DENY eth0 PROTO=17 168.99.104.12:631 255.255.255.255:631 L=170 S=0x00 I=11 F=0x0000 T=64 (#39)

> > > - This one happens _all_ the time

> > > Mar 19 12:04:58 server kernel: Packet log: input DENY eth0 PROTO=6 168.99.104.238:548 168.99.104.16:49154 L=56 S=0x00 I=57609 F=0x4000 T=255 (#38)

> > > - This one happens occasionally

> > >

> > > Most of the time it is denying packets from the other couple of linux machines

> > > I have setup here at school, occasionally it denies another computer.

> > >

> > > Below is the logging section from my rc.firewall (if you need the whole script

> > > it is attached)

> > >

> > > # ----------------------------------------------------------------------------

> > > # Enable logging for selected denied packets

> > >

> > > #ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

> > >

> > > #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \

> > > # --destination-port $PRIVPORTS -j DENY -l

> > >

> > > #ipchains -A input -i $EXTERNAL_INTERFACE -p udp \

> > > # --destination-port $UNPRIVPORTS -j DENY -l

> > >

> > >

> > > #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \

> > > # --icmp-type 5 -j DENY -l

> > > #ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \

> > > # --icmp-type 13:255 -j DENY -l

> > >

> > > #ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l

> > >

> > > # ----------------------------------------------------------------------------

> > >

> > >

> > > Thank you very very much in advance for any help! =)

> > >

> > > - Ben

>






More information about the Linux mailing list