LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-19-2007, 08:59 AM   #1
flybynight446
LQ Newbie
 
Registered: Oct 2005
Posts: 17

Rep: Reputation: 0
Suse 9.3 Firewall not generating Logs (at all..)


Hi,

I'm trying to enable firewall logging on Suse 9.3 to diagnose whether I am reaching my server smtp port 25.

I thought I could just go to the 'Logging Level' part of yast firewall configuration, and turn on 'Log All' for both 'Logging Accepted Packets' and 'Logging Not Accepted Packets', then I would get a ton of entries in /var/log/messages. Since I thought this catch all would put it there:

# save the rest in one file
#
*.*;mail.none;news.none -/var/log/messages


But there no firewall entries at all in /var/log/messages having confirmed the above config. Or in any other /var/log come to that.

Then I tried putting "kern.=debug /var/log/firewall", as per another thread on this site, but there was nothing in that log file either. Restarted syslog after making the change.

The only firewall config I have done is to enable HTTP/(S) Server, IMAP/(S) Server, Mail Server.

My firewall interfaces are set at:
Device │Interface or String│Configured In
<blank> │venet0 │No Zone Assigned
Custom string│any │External Zone

.. Where venet0 is the network interface handling all my Ip's on this VPS box.

The firewall is definitely running.. runlevels said so, and I can block up/blow holes in ports with the expected results.

No Masquerading, IPSec, Broadcast either. Really simple config.

Any pointers as to where I could start looking please ? I'm stumped.

thanks,
Jon.
Code:
# ------------------------------------------------------------------------

## Path:	Network/Firewall/SuSEfirewall2
## Description:	SuSEfirewall2 configuration
## Type:	string
## Default:	any
#
# 2.)
# Which are the interfaces that point to the internet/untrusted
# networks?

FW_DEV_EXT="any"

# 3.)
# Which are the interfaces that point to the internal network?
#
FW_DEV_INT=""

# 4.)
# Which are the interfaces that point to the dmz or dialup network?

FW_DEV_DMZ=""

# 5.)
# Should routing between the internet, dmz and internal network be
# activated?

FW_ROUTE="no"

# 6.)
# Do you want to masquerade internal networks to the outside?

FW_MASQUERADE="no"

# 6a.)
# You must also define on which interfaces to masquerade on. Those

FW_MASQ_DEV="$FW_DEV_EXT"    
FW_MASQ_NETS="0/0"

#
# 7.)
# Do you want to protect the firewall from the internal network?
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="10000 1968 4643 http https imap imaps smtp"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_ACCEPT_EXT=""

# 10.)
# Which services should be accessible from 'trusted' hosts or nets?
FW_TRUSTED_NETS=""

# 11.)
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""

# 13.)
# Which services or networks are allowed to be routed through the
# firewall, no matter which zone they are in?
FW_FORWARD=""

# 14.)
# Which services accessed from the internet should be allowed to masqueraded
FW_FORWARD_MASQ=""

## Type:	string
#
# 15.)
# Which accesses to services should be redirected to a local port on
# the firewall machine?
FW_REDIRECT=""

# 16.)
# Which kind of packets should be logged?
#
# When set to "yes", packages that got dropped and are considered
# 'critical' will be logged. Such packets include for example
# spoofed packets, tcp connection requests and certain icmp types.
#
# defaults to "yes" if not set
#
FW_LOG_DROP_CRIT="yes"

## Type:	yesno
## Default:	no
#
# whether all dropped packets should be logged
#
# Note: for broadcasts to be logged you also need to set
# FW_IGNORE_FW_BROADCAST_* to 'no'
#
# defaults to "no" if not set
#
FW_LOG_DROP_ALL="yes"

## Type:	yesno
## Default:	yes
#
# When set to "yes", packages that got accepted and are considered
# 'critical' will be logged. Such packets include for example tcp
# connection requests, rpc connection requests, access to high
# udp/tcp port and forwarded pakets.
#
# defaults to "yes" if not set
#
FW_LOG_ACCEPT_CRIT="yes"

## Type:	yesno
## Default:	no
#
# whether all accepted packets should be logged
#
# Note: setting this to 'yes' causes _LOTS_ of log entries and may
# fill your disk quickly. It also disables FW_LOG_LIMIT
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_ALL="yes"

## Type:	string
#
# How many packets per time unit get logged for each logging rule.
# When empty a default of 3/minute is used to prevent port scans
# flooding your log files. For desktop usage it's a good idea to
# have the limit, if you are using logfile analysis tools however
# you might want to disable it.
#
# Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
# to 'yes' disables this option as well.
# 
# Format: a digit and suffix /second, /minute, /hour or /day
FW_LOG_LIMIT=""

## Type:	string
#
# iptables logging option. Must end with --log-prefix and some prefix
# characters
#
# only change this if you know what you are doing!
FW_LOG=""

## Type:	yesno
## Default:	yes
#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
FW_KERNEL_SECURITY="yes"

# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
FW_STOP_KEEP_ROUTING_STATE="no"

# 19.)
# Allow the firewall to reply to icmp echo requests
FW_ALLOW_PING_FW="yes"

# 19a.)
# Allow hosts in the dmz to be pinged by internal and external hosts
FW_ALLOW_PING_DMZ="no"

# 19b.)
FW_ALLOW_PING_EXT="no"

##
# END of /etc/sysconfig/SuSEfirewall2
##

#                                                                         #
#-------------------------------------------------------------------------#
#                                                                         #
# EXPERT OPTIONS - all others please don't change these!                  #
#                                                                         #
#-------------------------------------------------------------------------#
#                                                                         #

(I didn't!!!)
 
Old 10-20-2007, 03:55 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Here's a temporary workaround until a less distro-agnostic solution comes around: if you have /sbin/iptables-save do '/sbin/iptables-save | sed "s|^-A|/sbin/iptables -A|g" > /tmp/iptables.rules'. Now you have a shellscript with the current rules in place. Edit them and place those "-j LOG" rules where you need them. Use your system tools to flush the rules and then run 'sh /tmp/iptables.rules' to read in the temporary rules. Once you're done testing just restart your firewall to flush out the temporary rules.

A less cludgy workaround would be to list your current rules adding line numbers and insert the "-j LOG" rule just above the target rule. Once done testing just restart the systems firewall to flush out the temporary LOG rules.
 
Old 10-20-2007, 06:34 PM   #3
flybynight446
LQ Newbie
 
Registered: Oct 2005
Posts: 17

Original Poster
Rep: Reputation: 0
Many thanks for that!!! I'll give it a try. I was wondering how I could dump out the tables and add the log entries manually (as a workaround), and this gives me something to chew on.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
syslog-ng doen't generating logs emailssent Linux - Newbie 3 03-09-2005 06:44 AM
Firewall logs in logs and terminal... robbow52 Debian 7 11-20-2004 08:13 PM
Separate firewall logs and general logs dominant Linux - General 3 04-20-2004 02:26 AM
firewall logs jimval7 Linux - Security 3 02-27-2002 02:20 AM
DNS Server generating error logs DavidPhillips Linux - General 2 06-18-2001 02:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration