Hi all,

I am looking for a clean way to log firewall iptables messages on
Slackware 10.0.

For now I use the following syslog.conf to redirect debug messages to
firewall log :
kern.*;kern.!=debug -/var/log/syslog
kern.=debug -/var/log/firewall
but this also includes miscellaneous other kernel debug messages I want to
keep in standard /var/log/debug log file.

So my question is "will I be condamned to use ulogd ?"

Best regards

--
Laurent

Retirer -mux pour m'ecrire
Remove -mux to email me

Laurent wrote:

> Hi all,
>
> I am looking for a clean way to log firewall iptables messages on
> Slackware 10.0.
>
> For now I use the following syslog.conf to redirect debug messages to
> firewall log :
> kern.*;kern.!=debug -/var/log/syslog
> kern.=debug -/var/log/firewall
> but this also includes miscellaneous other kernel debug messages I want to
> keep in standard /var/log/debug log file.
>
> So my question is "will I be condamned to use ulogd ?"
>
> Best regards
>

I would suggest you look into fireparse http://aaron.marasco.com/linux.html,
you could use it's advanced features, to sort, analyze, and to make some
nice html output of your firewall... or just stick with the bacics and have
it automatically pull all firewall related things from the syslog, into a
separate firewall.log. To use it, you just have to make your iptables
rules log in the fireparse format such as:

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "fp=bad_tcp_packets:1 a=DROP "

--
alex

On Sun, 27 Nov 2005 13:06:38 +0000, alex wrote:

> Laurent wrote:
>
>> Hi all,
>>
>> I am looking for a clean way to log firewall iptables messages on
>> Slackware 10.0.
>>
>> For now I use the following syslog.conf to redirect debug messages to
>> firewall log :
>> kern.*;kern.!=debug -/var/log/syslog
>> kern.=debug -/var/log/firewall
>> but this also includes miscellaneous other kernel debug messages I want to
>> keep in standard /var/log/debug log file.
>>
>> So my question is "will I be condamned to use ulogd ?"
>>
>> Best regards
>>
>
> I would suggest you look into fireparse http://aaron.marasco.com/linux.html,
> you could use it's advanced features, to sort, analyze, and to make some
> nice html output of your firewall... or just stick with the bacics and have
> it automatically pull all firewall related things from the syslog, into a
> separate firewall.log. To use it, you just have to make your iptables
> rules log in the fireparse format such as:
>
> $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
> --log-prefix "fp=bad_tcp_packets:1 a=DROP "

OK Thank you Alex, I am checking the script

See U

--
Laurent

Retirer -mux pour m'ecrire
Remove -mux to email me

Laurent wrote:
> Hi all,
>
> I am looking for a clean way to log firewall iptables messages on
> Slackware 10.0.
>
> For now I use the following syslog.conf to redirect debug messages to
> firewall log :
> kern.*;kern.!=debug -/var/log/syslog
> kern.=debug -/var/log/firewall
> but this also includes miscellaneous other kernel debug messages I want to
> keep in standard /var/log/debug log file.
>
> So my question is "will I be condamned to use ulogd ?"
>
> Best regards
>


What's wrong with using ulogd? If I understand the netfilter changes
[1] that have gone into 2.6.14, the userspace logging is going to more
or less be the standard for iptables in the future, although it will
retain the capability to log via syslog.


[1] Bear in mind that it's quite possible for me *not* fully
understand the 2.6.14 changes to netfilter

RW

--

http://rlworkman.net

Laurent wrote:
> I am looking for a clean way to log firewall iptables messages on
> Slackware 10.0.
>
> For now I use the following syslog.conf to redirect debug messages to
> firewall log :
> kern.*;kern.!=debug -/var/log/syslog
> kern.=debug -/var/log/firewall
> but this also includes miscellaneous other kernel debug messages I want to
> keep in standard /var/log/debug log file.
>
> So my question is "will I be condamned to use ulogd ?"

IIRC, with the stock syslog.conf in Slack 10.0,
iptables' log messages do go to /var/log/syslog.

Mikhail

On 27 Nov 2005 10:39:05 -0800, "Mikhail Zotov" <muxaul@lenta.ru> wrote:

>IIRC, with the stock syslog.conf in Slack 10.0,
>iptables' log messages do go to /var/log/syslog.

Depends on the iptables logging command used, in my setup with 2.4.32:

a) sample Internet noise to /var/log/messages:

MLIMIT="--match limit --limit"
....
# data collection, sample what we're dropping?
iptables -A INPUT -p all $MLIMIT 6/min --limit-burst 6 \
-j LOG --log-level info --log-prefix "InpDrop: "
^^^^^^^^^^^^^^^^.
`--> to /var/log/messages
b) /var/log/debug for forwarding failures:

# data collection, check what we're dropping
iptables -A FORWARD -p all \
-j LOG --log-level debug --log-prefix "ForDrop: "
^^^^^^^^^^^^^^^^^.
`--> to /var/log/debug

ipfilter (iptables) in 2.6 series has too many bugs turning up to trust,
see changelog for latest stable 2.6.14.3, much of it is iptables repair

Grant.

On Sun, 27 Nov 2005 09:13:50 -0600, Robby Workman wrote:

> Laurent wrote:
>> Hi all,
>>
>> I am looking for a clean way to log firewall iptables messages on
>> Slackware 10.0.
>>
>> For now I use the following syslog.conf to redirect debug messages to
>> firewall log :
>> kern.*;kern.!=debug -/var/log/syslog
>> kern.=debug -/var/log/firewall
>> but this also includes miscellaneous other kernel debug messages I want to
>> keep in standard /var/log/debug log file.
>>
>> So my question is "will I be condamned to use ulogd ?"
>>
>> Best regards
>>
>
>
> What's wrong with using ulogd? If I understand the netfilter changes
> [1] that have gone into 2.6.14, the userspace logging is going to more
> or less be the standard for iptables in the future, although it will
> retain the capability to log via syslog.
>
>
> [1] Bear in mind that it's quite possible for me *not* fully
> understand the 2.6.14 changes to netfilter
>
> RW

Well for now, I would prefer to keep the system "as Slack as possible" !
I mean I prefer using stable 2.4 kernel. So I will probably wait until 2.6
kernel is released (too much changes for my old and stable system) !

--
Laurent

Retirer -mux pour m'ecrire
Remove -mux to email me