logging of ipchains

logging of ipchains

Post by Matthias Thalhame » Thu, 21 Jun 2001 17:17:39



Hi

If I want to do some logging by ipchains all the data is written to
/var/log/syslog.
I think if I configure the syslog.conf file, I can direct it to
/var/log/firewall.
If this is possible, what do I have to write into the file?

    Matze

 
 
 

logging of ipchains

Post by Thomas Kn » Thu, 21 Jun 2001 17:45:36



> Hi

> If I want to do some logging by ipchains all the data is written to
> /var/log/syslog.
> I think if I configure the syslog.conf file, I can direct it to
> /var/log/firewall.
> If this is possible, what do I have to write into the file?

You must figure how to change the 'facility' under wich ipchans writes to syslog.
I am in the opinion you will find this in "man iptables" (cant check for it here).
Than you have to write a new syslog roule. You will find this in "man syslog".

Thomas

 
 
 

logging of ipchains

Post by Matthias Thalhame » Thu, 21 Jun 2001 18:24:51


Thomas Knop schrieb:

Quote:> You must figure how to change the 'facility' under wich ipchans writes to syslog.
> I am in the opinion you will find this in "man iptables" (cant check for it here).
> Than you have to write a new syslog roule. You will find this in "man syslog".

> Thomas

I had a look at 'man ipchains', but there is no comment about a facility. It just says
that all the things are printed via printk
can I figure it out in the syslog file? Here is, what is in the file:
'DATE' 'HOSTNAME' kernel :Packet log: ...............

    Thanks

        Matze.

 
 
 

1. Firewall logging and ipchains?

Hi,

I'm looking for a way to log everything hitting my firewall (accepted, denied
and rejected packets), but I can't figure out how to do this.  I've been
playing around with ipchains and I am able to log specific rules, but I can't
seem to log the actions of a default policy.  For example:

ipchains -A input DENY
ipchains -A input -i eth0 -p tcp -s 0.0.0.0/0 -d 1.2.3.4/32 80 -l -j ACCEPT

Let's say these are the firewall rules I'm using.  If someone tries to connect
to the firewall (1.2.3.4/eth0) from the internet, via the web (port 80), they
are able to do so and the connection is logged as accepted, hence the '-l'
switch.  But, if someone from the net tries to connect using ftp, they are
denied access (as per the default input policy) but this transaction does not
seem to make it into my system logs.  How can I log traffic that is being
filtered by a default policy in ipchains?  Can I use ipchains to do
firewall logging, or is there a better solution?

I'm using Red Hat 5.2 with kernel 2.2.3 which is configure to run as a
firewall.  I've been reading howto papers all day, but I can't seem to find
anything that specifically deals with firewall logging.

Any info or suggestions would be very much appreciated!

--Matt

2. Tk interface to Ghostscript

3. Logging with IPchains

4. Upgrade

5. ip_masq logging by ipchains

6. Slackware and Zip Drives and SuperDrives

7. Why does logging make ipchains work?

8. What's fstab entry for swap partition?

9. weird entrys logged thru ipchains

10. ipchains log analysis tool (ipchains-db.pl)

11. IPChains quits logging when logs rotate

12. IPCHAINS logging with sysklogd - log to separate file?

13. IPCHAINS and Logging Successfully to /var/log