Very Computer

I would like to know if its a good choice to log packets thats being
send and recieved, and what the advantages is of logging packets on
firewalls.

How much information can you see on logged packets ?, and where would
you log the packets and protect the log from malicous hackers, trojan
kids or script kids ?

Were using Linux Slackware 7.0.

it sure is.  i don't know if it's a good choice to log sent packets,
but the security conscious among us might ..  you'll probably not
want to log _all_ traffic, though.

advantages to logging:  traffic analysis, pattern matching, figuring
                        out who is doing what to your system, etc.

disadvantages to logging: disk space!  if you're logging everything
                          on a large/busy network this will kick
                          you in the butt.  privacy of your users?

Quote:>How much information can you see on logged packets ?, and where would
>you log the packets and protect the log from malicous hackers, trojan
>kids or script kids ?

usually you can see the destination ip address, local and remote
ports used, protocol used, date and time.
if you want to protect your logs from malicious hackers, log to
your printer.

--
True science teaches us to doubt and, in ignorance, to refrain.
 -Claude Bernard (1813-78)

<shudder> I'd have thought so. </shudder>

Quote:> How much information can you see on logged packets ?, and where would you
> log the packets and protect the log from malicous hackers, trojan kids or
> script kids ?

You want the IP Masquerading HOWTO which gives explicit examples of what
you'll see, at
<http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO-7.html#ss7.18>.

Quote:> Were using Linux Slackware 7.0.

What are you using now?

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

Hi,

the standard way is to log exception to any firewall rules - so
you can monitor crack attempts. If you're using ipchains, this
is done with the -l option on the deny and reject rules.

The does rely on the fact that you are catching all errant connections
so you may want to use a packet sniffer to examine all traffic over
a small period.

Yes, logging is a good thing. However depending on the type of
firewall (private use, professional use or heavier) you might
want to log more and more. I know some companies that log
_everything_ :-).

Quote:> How much information can you see on logged packets ?, and where would
> you log the packets and protect the log from malicous hackers, trojan
> kids or script kids ?

Logging will typically provide you with protocol type,
(probable!) source address and reason for denial. See ipchains
doc for more information.

You could log on another machine, this is common practice. If you
want to be absolutely sure about the logs, then connect through a
one-way serial line. Logging on a printer is a) not useful,
because it is very difficult to search for events and correlate
them, and b) opens you for denial of service attacks, unless you
have a very fast printer that is :-)

Quote:> Were using Linux Slackware 7.0.

I recently switched from redhat to slackware to OpenBSD. I prefer
the latter to put it gently and with chances to open up a flame
war. The flame war is _not_ my intent! OpenBSD firewalls are
_much_ easier to maintain, much easier to develop and I think
inherently more secure. The additional advantage being that not a
lot of scripts are available for the script kiddies because it is
so much less used :-).

EJ
--
OpenBSD 2.6 on a sparc (32 MB) and a pentium 75 MHz (32 MB)
Linux 2.2.16 on a pentium 233 MHz (64 MB) and a sparc (32 MB)
FreeBSD 4.0 on a pentium 200 MHz (192 MB)
and the Mac LCII? Still doing nothing.

Quote:>You could log on another machine, this is common practice. If you
>want to be absolutely sure about the logs, then connect through a
>one-way serial line. Logging on a printer is a) not useful,
>because it is very difficult to search for events and correlate
>them, and b) opens you for denial of service attacks, unless you
>have a very fast printer that is :-)

a one-way serial line .. hmm, i never thought about that.  now
that could be fun!

--
Every sentence I utter must be understood not as an affirmation,
but as a question.
 -Niels Henrik David Bohr (1885-1962)

Explain?

EJ
--
OpenBSD 2.6 on a sparc (32 MB) and a pentium 75 MHz (32 MB)
Linux 2.2.16 on a pentium 233 MHz (64 MB) and a sparc (32 MB)
FreeBSD 4.0 on a pentium 200 MHz (192 MB)
and the Mac LCII? Still doing nothing.