Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-09-2006, 10:37 AM
|
#1
|
|
Member
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114
Rep: 
|
Shorewall not logging messages
Hello Friends!
Recently I installed shorewall firewall on my Fedora core4 machine. My /var/log/messages has no logs about the packets except the shorewall start and stop messages. 
I tried to change the default logging file with the /etc/shorewall/shorewall.conf
and entering a different file location
LOGFILE=/var/log/messages
to
LOGFILE=/var/log/shore
still no logs
My /etc/shorewall/policy has these entries
#SOURCE DEST POLICY LOG LIMIT:BURST
# EVEL
fw net ACCEPT -
net all DROP info
all all REJECT info
I had few logs just after installing and configuring it and then i installed PSAD, but since then I have no logs w.r.t. packets is this related to PSAD's configuration?
thanks and regards
Anuj
Linux Rocks |
|
|
|
|
01-10-2006, 02:43 AM
|
#2
|
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
Hey Anuj,
I just looked up shorewall on google and find its a frontend for iptables . That means that logging is going to tak eplace the same way iptables logs stuff .Now I believe that the logs for iptables are stored in /var/log/iptables but Im not sure . I think you should find your shorewall logs also in the same place .
Why are you using shorewall anyway in the first place? I believe iptables is good enough ; try learning the basics of iptables first and then use GUI to maintain stuff instead of GUI ing right away. Thats what I wud du anyway if I wanted to learn iptables which I want to do one of these days 
I dont believe /var/log/messages is going to give you anything else apart from what you have described ; its the place where the system logs messages ; individual program logs are stored elsewhere..
Cheers
Arvind
Last edited by live_dont_exist; 01-10-2006 at 02:44 AM.
|
|
|
|
|
01-10-2006, 06:46 AM
|
#3
|
|
Member
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114
Original Poster
Rep:
|
Hello Arvind!
Shorewall is a powerful, high level tool for configuring Netfilter. Linux is sexy in cui mode. 
Ok today I uninstalled shorewall and re-installed the latest version. Same thing is happening . After configuring and starting shorewall gave me logs in my /var/log/messages.
But after restarting it NO LOGS again.  WHY??
I am using Fedora Core4. I tried the same thing on RHEL4.
thanks in advance! |
|
|
|
|
01-10-2006, 07:34 AM
|
#4
|
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
Read what Ive written dude...the logs will not be stored in /var/log/messages...those r only 4 system logs..and logs will be generated only when certain rules are triggered...not just any time..try writing a couple of basic rules with IPtables and see what happens ..look up where IPtables logs its traffic ..
Shorewall also should log it in the same place..
Cheers
Arvind
p.s...IPtables is also based on Netfilter if Im not mistaken....
|
|
|
|
|
01-10-2006, 09:01 AM
|
#5
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
If you redirect messages to another file you're using Ulogd, right? ( http://www.shorewall.net/shorewall_logging.html)
Was Ulogd installed?
Does "/sbin/iptables -n -L -v|grep -i log", show rules with .LOG targets? |
|
|
|
|
01-10-2006, 11:54 AM
|
#6
|
|
Member
Registered: Apr 2001
Location: Raleigh, NC
Distribution: CentOS
Posts: 154
Rep:
|
Edit: Nevermind
Last edited by JustinHoMi; 01-10-2006 at 12:02 PM.
|
|
|
|
|
01-11-2006, 03:05 AM
|
#7
|
|
Member
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114
Original Poster
Rep:
|
Hello unSpawn!
I am not redirecting my firewall logs and it is default (/var/log/messages) by shorewall configuration file (/etc/shorewall/shorewall.conf)
The ouptput of
#iptables -n -L -v|grep -i LOG is
PHP Code:
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
0 0 LOG all -- * * 192.162.192.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 LOG all -- * * 172.16.1.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 LOG all -- * * 172.16.0.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 LOG all -- * * 255.255.255.255 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
0 0 LOG all -- * * 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:smurfs:DROP:'
Thanks in advance! |
|
|
|
|
01-11-2006, 10:36 AM
|
#8
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
What your post confirms is that LOG target rules are loaded, but looking at the empty packet and byte counters they are unused.
I'd like you to post your ruleset: "/sbin/iptables-save > /tmp/iptables.tmp". That should help.
|
|
|
|
|
01-12-2006, 02:53 AM
|
#9
|
|
Member
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114
Original Poster
Rep:
|
Hello unSpawn!
The output of my /sbin/iptables-save /tmp/iptabls.tmp
is
PHP Code:
# Generated by iptables-save v1.3.0 on Thu Jan 12 14:14:22 2006
*raw
:OUTPUT ACCEPT [1713:187210]
:PREROUTING ACCEPT [34070:26147350]
COMMIT
# Completed on Thu Jan 12 14:14:22 2006
# Generated by iptables-save v1.3.0 on Thu Jan 12 14:14:22 2006
*mangle
:FORWARD ACCEPT [30456:25314670]
:INPUT ACCEPT [1642:631087]
:OUTPUT ACCEPT [1713:187210]
:POSTROUTING ACCEPT [32223:25506660]
:PREROUTING ACCEPT [34070:26147350]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
-A PREROUTING -j tcpre
COMMIT
# Completed on Thu Jan 12 14:14:22 2006
# Generated by iptables-save v1.3.0 on Thu Jan 12 14:14:22 2006
*nat
:OUTPUT ACCEPT [79:5311]
:POSTROUTING ACCEPT [82:5491]
:PREROUTING ACCEPT [2260:241851]
:eth0_masq - [0:0]
:eth2_masq - [0:0]
:loc_dnat - [0:0]
:net_dnat - [0:0]
-A POSTROUTING -o eth0 -j eth0_masq
-A POSTROUTING -o eth2 -j eth2_masq
-A PREROUTING -i eth0 -j net_dnat
-A PREROUTING -i eth1 -j loc_dnat
-A eth0_masq -s 172.16.1.0/255.255.255.0 -j MASQUERADE
-A eth2_masq -s 172.16.1.0/255.255.255.0 -j MASQUERADE
-A eth2_masq -s 192.192.192.0/255.255.255.0 -j MASQUERADE
-A loc_dnat -s 172.16.1.3 -p tcp -m tcp --dport 1241 -j DNAT --to-destination 192.192.192.15
-A net_dnat -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.1:8892
-A net_dnat -s 192.192.192.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 172.16.1.3
COMMIT
# Completed on Thu Jan 12 14:14:22 2006
# Generated by iptables-save v1.3.0 on Thu Jan 12 14:14:22 2006
*filter
:Drop - [0:0]
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:Reject - [0:0]
:all2all - [0:0]
:blacklst - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:eth2_fwd - [0:0]
:eth2_in - [0:0]
:fw2inet - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:inet2all - [0:0]
:inet2fw - [0:0]
:inet2loc - [0:0]
:inet2net - [0:0]
:loc2fw - [0:0]
:loc2inet - [0:0]
:loc2net - [0:0]
:net2fw - [0:0]
:net2inet - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
-A Drop -p tcp -m tcp --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -j DROP
-A Drop -p udp -m udp --dport 137:139 -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A Drop -p udp -m udp --dport 1900 -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -j DROP
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -i eth1 -j eth1_fwd
-A FORWARD -i eth2 -j eth2_fwd
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -j reject
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j eth0_in
-A INPUT -i eth1 -j eth1_in
-A INPUT -i eth2 -j eth2_in
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -j reject
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j fw2net
-A OUTPUT -o eth1 -j fw2loc
-A OUTPUT -o eth2 -j fw2inet
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:REJECT:" --log-level 6
-A OUTPUT -j reject
-A Reject -p tcp -m tcp --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -j DROP
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j Reject
-A all2all -j LOG --log-prefix "Shorewall:all2all:REJECT:" --log-level 6
-A all2all -j reject
-A dropBcast -m pkttype --pkt-type broadcast -j DROP
-A dropBcast -m pkttype --pkt-type multicast -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -o eth1 -j net2loc
-A eth0_fwd -o eth2 -j net2inet
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -j net2fw
-A eth1_fwd -m state --state INVALID,NEW -j dynamic
-A eth1_fwd -m state --state INVALID,NEW -j blacklst
-A eth1_fwd -o eth0 -j loc2net
-A eth1_fwd -o eth2 -j loc2inet
-A eth1_in -m state --state INVALID,NEW -j dynamic
-A eth1_in -m state --state INVALID,NEW -j blacklst
-A eth1_in -j loc2fw
-A eth2_fwd -m state --state INVALID,NEW -j dynamic
-A eth2_fwd -o eth0 -j inet2net
-A eth2_fwd -o eth1 -j inet2loc
-A eth2_in -m state --state INVALID,NEW -j dynamic
-A eth2_in -j inet2fw
-A fw2inet -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2inet -j ACCEPT
-A fw2inet -j reject
-A fw2inet -j all2all
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -j ACCEPT
-A fw2loc -j reject
-A fw2loc -j all2all
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -j ACCEPT
-A fw2net -j reject
-A fw2net -j ACCEPT
-A inet2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A inet2all -j Drop
-A inet2all -j DROP
-A inet2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A inet2fw -j DROP
-A inet2fw -j reject
-A inet2fw -j inet2all
-A inet2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A inet2loc -j DROP
-A inet2loc -j reject
-A inet2loc -j inet2all
-A inet2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A inet2net -j DROP
-A inet2net -j reject
-A inet2net -j inet2all
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -s 172.16.1.3 -d 172.16.1.2 -p tcp -m tcp --dport 22 -j ACCEPT
-A loc2fw -s 172.16.1.3 -d 192.192.192.15 -p tcp -m tcp --dport 1241 -j ACCEPT
-A loc2fw -j reject
-A loc2fw -j all2all
-A loc2inet -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2inet -j ACCEPT
-A loc2inet -j reject
-A loc2inet -j all2all
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -j ACCEPT
-A loc2net -j reject
-A loc2net -j all2all
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p icmp -j DROP
-A net2fw -j reject
-A net2fw -j all2all
-A net2inet -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2inet -d 172.16.0.1 -p tcp -m tcp --dport 8892 -j ACCEPT
-A net2inet -j reject
-A net2inet -j all2all
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -s 192.192.192.0/255.255.255.0 -d 172.16.1.3 -p tcp -m tcp --dport 22 -j ACCEPT
-A net2loc -j reject
-A net2loc -j all2all
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 192.192.192.255 -j DROP
-A reject -s 172.16.1.255 -j DROP
-A reject -s 172.16.0.255 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 192.192.192.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.192.192.255 -j DROP
-A smurfs -s 172.16.1.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 172.16.1.255 -j DROP
-A smurfs -s 172.16.0.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 172.16.0.255 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
COMMIT
# Completed on Thu Jan 12 14:14:22 2006
Thanks in advance! |
|
|
|
|
01-12-2006, 09:37 AM
|
#10
|
|
Member
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114
Original Poster
Rep:
|
Hello Friends!
Thankyou unSpawn and everyone else!
Now I have logs of traffic in my /var/log/messages
I made a change in my /etc/shorewall/rules file as follows:
PREVIOUS (when I was not getting logs)
[HTML]#################################################################################################### #########
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
ACCEPT fw net
ACCEPT fw loc
ACCEPT fw inet
ACCEPT loc net
ACCEPT loc inet
DNAT net inet:172.16.0.1:8892 tcp 80
[/HTML]
NEW (I have logs with this config)
[HTML]#################################################################################################### #########
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
ACCEPT fw net
ACCEPT fw loc
ACCEPT fw inet
ACCEPT loc net
ACCEPT:info loc inet
DNAT:info net inet:172.16.0.1:8892 tcp 80
[/HTML]
conclusion:
In the ACTION column I supposed to add the log level ":info" just after the corresponding ACTION.
My previously policy file is also configured for LOGs but the thing is if no rule matches with configuration in /etc/shorewall/rules file then packet filtering is done according to the configuration in /etc/shorewall/policy.
In my case all the packet filtering was already finishing with configuration in /etc/shorewall/rules before the need of /etc/shorewall/policy rules.
The packet doesn't match a rule so it is handled by a policy defined in /etc/shorewall/policy. These may be logged by specifying a syslog level in the LOG LEVEL column of the policy's entry (e.g., “loc net ACCEPT info”).
thanks and regards
Anuj
|
|
|
|
|
01-12-2006, 12:05 PM
|
#11
|
|
Moderator
Registered: May 2001
Posts: 29,415
|
Nice you got it working all by yourself. Well done!
|
|
|
|
|
01-12-2006, 10:52 PM
|
#12
|
|
Member
Registered: Jun 2004
Location: Bharat
Distribution: RedHat, Debian, FreeBSD, Fedora, Centos
Posts: 114
Original Poster
Rep:
|
Hello unSpawn!
It is not done by myself, but with the help provided by you and shorewall documenation by Thomas M. Eastep.
Shorewall Documentation
Thanks!
Linux Rocks |
|
|
|
All times are GMT -5. The time now is 12:25 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
