LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-09-2006, 10:37 AM   #1
xxx_anuj_xxx
Member
 
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114

Rep: Reputation: 16
Shorewall not logging messages


Hello Friends!
Recently I installed shorewall firewall on my Fedora core4 machine. My /var/log/messages has no logs about the packets except the shorewall start and stop messages.
I tried to change the default logging file with the /etc/shorewall/shorewall.conf
and entering a different file location
LOGFILE=/var/log/messages
to
LOGFILE=/var/log/shore

still no logs

My /etc/shorewall/policy has these entries

#SOURCE DEST POLICY LOG LIMIT:BURST
# EVEL
fw net ACCEPT -
net all DROP info
all all REJECT info


I had few logs just after installing and configuring it and then i installed PSAD, but since then I have no logs w.r.t. packets is this related to PSAD's configuration?
thanks and regards
Anuj

Linux Rocks
 
Old 01-10-2006, 02:43 AM   #2
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Hey Anuj,
I just looked up shorewall on google and find its a frontend for iptables . That means that logging is going to tak eplace the same way iptables logs stuff .Now I believe that the logs for iptables are stored in /var/log/iptables but Im not sure . I think you should find your shorewall logs also in the same place .

Why are you using shorewall anyway in the first place? I believe iptables is good enough ; try learning the basics of iptables first and then use GUI to maintain stuff instead of GUI ing right away. Thats what I wud du anyway if I wanted to learn iptables which I want to do one of these days

I dont believe /var/log/messages is going to give you anything else apart from what you have described ; its the place where the system logs messages ; individual program logs are stored elsewhere..

Cheers
Arvind

Last edited by live_dont_exist; 01-10-2006 at 02:44 AM.
 
Old 01-10-2006, 06:46 AM   #3
xxx_anuj_xxx
Member
 
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114

Original Poster
Rep: Reputation: 16
Hello Arvind!
Shorewall is a powerful, high level tool for configuring Netfilter. Linux is sexy in cui mode.

Ok today I uninstalled shorewall and re-installed the latest version. Same thing is happening . After configuring and starting shorewall gave me logs in my /var/log/messages.

But after restarting it NO LOGS again. WHY??
I am using Fedora Core4. I tried the same thing on RHEL4.

thanks in advance!
 
Old 01-10-2006, 07:34 AM   #4
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Read what Ive written dude...the logs will not be stored in /var/log/messages...those r only 4 system logs..and logs will be generated only when certain rules are triggered...not just any time..try writing a couple of basic rules with IPtables and see what happens ..look up where IPtables logs its traffic ..
Shorewall also should log it in the same place..

Cheers
Arvind
p.s...IPtables is also based on Netfilter if Im not mistaken....
 
Old 01-10-2006, 09:01 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
If you redirect messages to another file you're using Ulogd, right? (http://www.shorewall.net/shorewall_logging.html)
Was Ulogd installed?
Does "/sbin/iptables -n -L -v|grep -i log", show rules with .LOG targets?
 
Old 01-10-2006, 11:54 AM   #6
JustinHoMi
Member
 
Registered: Apr 2001
Location: Raleigh, NC
Distribution: CentOS
Posts: 154

Rep: Reputation: 30
Edit: Nevermind

Last edited by JustinHoMi; 01-10-2006 at 12:02 PM.
 
Old 01-11-2006, 03:05 AM   #7
xxx_anuj_xxx
Member
 
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114

Original Poster
Rep: Reputation: 16
Hello unSpawn!
I am not redirecting my firewall logs and it is default (/var/log/messages) by shorewall configuration file (/etc/shorewall/shorewall.conf)
The ouptput of
#iptables -n -L -v|grep -i LOG is

PHP Code:
 0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0         LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0         LOG flags 0 level 6 prefix 
`Shorewall:INPUT:REJECT:'
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0         LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
    
0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0         LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
    0     0 LOG        all  --  *      *       192.162.192.255      0.0.0.0/0         LOG flags 0 level 6 prefix 
`Shorewall:smurfs:DROP:'
    0     0 LOG        all  --  *      *       172.16.1.255         0.0.0.0/0         LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
    
0     0 LOG        all  --  *      *       172.16.0.255         0.0.0.0/0         LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
    0     0 LOG        all  --  *      *       255.255.255.255      0.0.0.0/0         LOG flags 0 level 6 prefix 
`Shorewall:smurfs:DROP:'
    0     0 LOG        all  --  *      *       224.0.0.0/4          0.0.0.0/0         LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:' 
Thanks in advance!
 
Old 01-11-2006, 10:36 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
What your post confirms is that LOG target rules are loaded, but looking at the empty packet and byte counters they are unused.
I'd like you to post your ruleset: "/sbin/iptables-save > /tmp/iptables.tmp". That should help.
 
Old 01-12-2006, 02:53 AM   #9
xxx_anuj_xxx
Member
 
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114

Original Poster
Rep: Reputation: 16
Hello unSpawn!
The output of my /sbin/iptables-save /tmp/iptabls.tmp
is
PHP Code:
# Generated by iptables-save v1.3.0 on Thu Jan 12 14:14:22 2006
*raw
:OUTPUT ACCEPT [1713:187210]
:
PREROUTING ACCEPT [34070:26147350]
COMMIT
# Completed on Thu Jan 12 14:14:22 2006
# Generated by iptables-save v1.3.0 on Thu Jan 12 14:14:22 2006
*mangle
:FORWARD ACCEPT [30456:25314670]
:
INPUT ACCEPT [1642:631087]
:
OUTPUT ACCEPT [1713:187210]
:
POSTROUTING ACCEPT [32223:25506660]
:
PREROUTING ACCEPT [34070:26147350]
:
tcfor - [0:0]
:
tcout - [0:0]
:
tcpost - [0:0]
:
tcpre - [0:0]
-
A FORWARD -j tcfor 
-A OUTPUT -j tcout 
-A POSTROUTING -j tcpost 
-A PREROUTING -j tcpre 
COMMIT
# Completed on Thu Jan 12 14:14:22 2006
# Generated by iptables-save v1.3.0 on Thu Jan 12 14:14:22 2006
*nat
:OUTPUT ACCEPT [79:5311]
:
POSTROUTING ACCEPT [82:5491]
:
PREROUTING ACCEPT [2260:241851]
:
eth0_masq - [0:0]
:
eth2_masq - [0:0]
:
loc_dnat - [0:0]
:
net_dnat - [0:0]
-
A POSTROUTING -o eth0 -j eth0_masq 
-A POSTROUTING -o eth2 -j eth2_masq 
-A PREROUTING -i eth0 -j net_dnat 
-A PREROUTING -i eth1 -j loc_dnat 
-A eth0_masq -s 172.16.1.0/255.255.255.0 -j MASQUERADE 
-A eth2_masq -s 172.16.1.0/255.255.255.0 -j MASQUERADE 
-A eth2_masq -s 192.192.192.0/255.255.255.0 -j MASQUERADE 
-A loc_dnat -s 172.16.1.3 -p tcp -m tcp --dport 1241 -j DNAT --to-destination 192.192.192.15 
-A net_dnat -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.1:8892 
-A net_dnat -s 192.192.192.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 172.16.1.3 
COMMIT
# Completed on Thu Jan 12 14:14:22 2006
# Generated by iptables-save v1.3.0 on Thu Jan 12 14:14:22 2006
*filter
:Drop - [0:0]
:
FORWARD DROP [0:0]
:
INPUT DROP [0:0]
:
OUTPUT DROP [0:0]
:
Reject - [0:0]
:
all2all - [0:0]
:
blacklst - [0:0]
:
dropBcast - [0:0]
:
dropInvalid - [0:0]
:
dropNotSyn - [0:0]
:
dynamic - [0:0]
:
eth0_fwd - [0:0]
:
eth0_in - [0:0]
:
eth1_fwd - [0:0]
:
eth1_in - [0:0]
:
eth2_fwd - [0:0]
:
eth2_in - [0:0]
:
fw2inet - [0:0]
:
fw2loc - [0:0]
:
fw2net - [0:0]
:
inet2all - [0:0]
:
inet2fw - [0:0]
:
inet2loc - [0:0]
:
inet2net - [0:0]
:
loc2fw - [0:0]
:
loc2inet - [0:0]
:
loc2net - [0:0]
:
net2fw - [0:0]
:
net2inet - [0:0]
:
net2loc - [0:0]
:
reject - [0:0]
:
shorewall - [0:0]
:
smurfs - [0:0]
-
A Drop -p tcp -m tcp --dport 113 -j reject 
-A Drop -j dropBcast 
-A Drop -p icmp -m icmp --icmp-type 3/-j ACCEPT 
-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A Drop -j dropInvalid 
-A Drop -p udp -m multiport --dports 135,445 -j DROP 
-A Drop -p udp -m udp --dport 137:139 -j DROP 
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP 
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP 
-A Drop -p udp -m udp --dport 1900 -j DROP 
-A Drop -p tcp -j dropNotSyn 
-A Drop -p udp -m udp --sport 53 -j DROP 
-A FORWARD -i eth0 -j eth0_fwd 
-A FORWARD -i eth1 -j eth1_fwd 
-A FORWARD -i eth2 -j eth2_fwd 
-A FORWARD -j Reject 
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6 
-A FORWARD -j reject 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth0 -j eth0_in 
-A INPUT -i eth1 -j eth1_in 
-A INPUT -i eth2 -j eth2_in 
-A INPUT -j Reject 
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6 
-A INPUT -j reject 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -o eth0 -j fw2net 
-A OUTPUT -o eth1 -j fw2loc 
-A OUTPUT -o eth2 -j fw2inet 
-A OUTPUT -j Reject 
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6 
-A OUTPUT -j reject 
-A Reject -p tcp -m tcp --dport 113 -j reject 
-A Reject -j dropBcast 
-A Reject -p icmp -m icmp --icmp-type 3/-j ACCEPT 
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A Reject -j dropInvalid 
-A Reject -p udp -m multiport --dports 135,445 -j reject 
-A Reject -p udp -m udp --dport 137:139 -j reject 
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject 
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject 
-A Reject -p udp -m udp --dport 1900 -j DROP 
-A Reject -p tcp -j dropNotSyn 
-A Reject -p udp -m udp --sport 53 -j DROP 
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A all2all -j Reject 
-A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6 
-A all2all -j reject 
-A dropBcast -m pkttype --pkt-type broadcast -j DROP 
-A dropBcast -m pkttype --pkt-type multicast -j DROP 
-A dropInvalid -m state --state INVALID -j DROP 
-A dropNotSyn -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP 
-A eth0_fwd -m state --state INVALID,NEW -j dynamic 
-A eth0_fwd -o eth1 -j net2loc 
-A eth0_fwd -o eth2 -j net2inet 
-A eth0_in -m state --state INVALID,NEW -j dynamic 
-A eth0_in -j net2fw 
-A eth1_fwd -m state --state INVALID,NEW -j dynamic 
-A eth1_fwd -m state --state INVALID,NEW -j blacklst 
-A eth1_fwd -o eth0 -j loc2net 
-A eth1_fwd -o eth2 -j loc2inet 
-A eth1_in -m state --state INVALID,NEW -j dynamic 
-A eth1_in -m state --state INVALID,NEW -j blacklst 
-A eth1_in -j loc2fw 
-A eth2_fwd -m state --state INVALID,NEW -j dynamic 
-A eth2_fwd -o eth0 -j inet2net 
-A eth2_fwd -o eth1 -j inet2loc 
-A eth2_in -m state --state INVALID,NEW -j dynamic 
-A eth2_in -j inet2fw 
-A fw2inet -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2inet -j ACCEPT 
-A fw2inet -j reject 
-A fw2inet -j all2all 
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2loc -j ACCEPT 
-A fw2loc -j reject 
-A fw2loc -j all2all 
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A fw2net -j ACCEPT 
-A fw2net -j reject 
-A fw2net -j ACCEPT 
-A inet2all -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A inet2all -j Drop 
-A inet2all -j DROP 
-A inet2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A inet2fw -j DROP 
-A inet2fw -j reject 
-A inet2fw -j inet2all 
-A inet2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A inet2loc -j DROP 
-A inet2loc -j reject 
-A inet2loc -j inet2all 
-A inet2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A inet2net -j DROP 
-A inet2net -j reject 
-A inet2net -j inet2all 
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2fw -s 172.16.1.3 -d 172.16.1.2 -p tcp -m tcp --dport 22 -j ACCEPT 
-A loc2fw -s 172.16.1.3 -d 192.192.192.15 -p tcp -m tcp --dport 1241 -j ACCEPT 
-A loc2fw -j reject 
-A loc2fw -j all2all 
-A loc2inet -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2inet -j ACCEPT 
-A loc2inet -j reject 
-A loc2inet -j all2all 
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A loc2net -j ACCEPT 
-A loc2net -j reject 
-A loc2net -j all2all 
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2fw -p icmp -j DROP 
-A net2fw -j reject 
-A net2fw -j all2all 
-A net2inet -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2inet -d 172.16.0.1 -p tcp -m tcp --dport 8892 -j ACCEPT 
-A net2inet -j reject 
-A net2inet -j all2all 
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A net2loc -s 192.192.192.0/255.255.255.0 -d 172.16.1.3 -p tcp -m tcp --dport 22 -j ACCEPT 
-A net2loc -j reject 
-A net2loc -j all2all 
-A reject -m pkttype --pkt-type broadcast -j DROP 
-A reject -m pkttype --pkt-type multicast -j DROP 
-A reject -s 192.192.192.255 -j DROP 
-A reject -s 172.16.1.255 -j DROP 
-A reject -s 172.16.0.255 -j DROP 
-A reject -s 255.255.255.255 -j DROP 
-A reject -s 224.0.0.0/240.0.0.0 -j DROP 
-A reject -p tcp -j REJECT --reject-with tcp-reset 
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable 
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable 
-A reject -j REJECT --reject-with icmp-host-prohibited 
-A smurfs -s 192.192.192.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 192.192.192.255 -j DROP 
-A smurfs -s 172.16.1.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 172.16.1.255 -j DROP 
-A smurfs -s 172.16.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 172.16.0.255 -j DROP 
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 255.255.255.255 -j DROP 
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP 
COMMIT
# Completed on Thu Jan 12 14:14:22 2006 
Thanks in advance!
 
Old 01-12-2006, 09:37 AM   #10
xxx_anuj_xxx
Member
 
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114

Original Poster
Rep: Reputation: 16
Hello Friends!
Thankyou unSpawn and everyone else!
Now I have logs of traffic in my /var/log/messages

I made a change in my /etc/shorewall/rules file as follows:

PREVIOUS (when I was not getting logs)


[HTML]#################################################################################################### #########
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
ACCEPT fw net
ACCEPT fw loc
ACCEPT fw inet
ACCEPT loc net
ACCEPT loc inet
DNAT net inet:172.16.0.1:8892 tcp 80
[/HTML]

NEW (I have logs with this config)


[HTML]#################################################################################################### #########
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
ACCEPT fw net
ACCEPT fw loc
ACCEPT fw inet
ACCEPT loc net
ACCEPT:info loc inet
DNAT:info net inet:172.16.0.1:8892 tcp 80
[/HTML]

conclusion:
In the ACTION column I supposed to add the log level ":info" just after the corresponding ACTION.

My previously policy file is also configured for LOGs but the thing is if no rule matches with configuration in /etc/shorewall/rules file then packet filtering is done according to the configuration in /etc/shorewall/policy.
In my case all the packet filtering was already finishing with configuration in /etc/shorewall/rules before the need of /etc/shorewall/policy rules.
The packet doesn't match a rule so it is handled by a policy defined in /etc/shorewall/policy. These may be logged by specifying a syslog level in the LOG LEVEL column of the policy's entry (e.g., “loc net ACCEPT info”).



thanks and regards
Anuj
 
Old 01-12-2006, 12:05 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Nice you got it working all by yourself. Well done!
 
Old 01-12-2006, 10:52 PM   #12
xxx_anuj_xxx
Member
 
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114

Original Poster
Rep: Reputation: 16
Hello unSpawn!
It is not done by myself, but with the help provided by you and shorewall documenation by Thomas M. Eastep.
Shorewall Documentation
Thanks!

Linux Rocks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
logging bootup messages to textfile? cast55 Debian 2 02-19-2005 05:56 PM
console logging messages srns Red Hat 2 09-13-2004 04:18 PM
Shorewall with ulog for logging to a diffrent file igbe Linux - Software 0 07-24-2004 04:06 PM
Logging kernel messages ugenn Linux - Software 8 01-04-2003 06:11 AM
logging external messages with syslogd slawomir Linux - Networking 3 09-04-2002 04:26 AM


All times are GMT -5. The time now is 06:31 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration