Very Computer

About a year and a half ago I started with linux and attempted to learn the
ins and outs of iptables.  As it was, linux took some getting used to,
iptables info seemed sparse, and I ran across Firestarter (gui for
iptables).  Firestarter gave me some sense of security quickly but I wanted
to eventually get around to learning iptables.  There is enough info on
iptables now for me to sort through however I like the gui idea that shows
me if someone is probing a port and allows me to allow/block activity
without having to rewrite a script and restart iptables manually.
Firestarter supposedly allows one to modify the scripts it uses and I may go
that route but was interested to know if anyone is using another method to
monitor iptable activity "more-or-less" realtime.
Thanks,
Steve

I don't believe in running a GUI on a firewall, and I don't currently have
a separate loghost for the purpose either.

However, running fwlogwatch to generate an HTML table of the last 24hrs'
worth of activity, every ~15 mins, is quite adequate for my simple tastes :)

~Tim
--

A shadow rushes through the grasslands      |http://spodzone.org.uk/
To the dying sun                            |

Quote:> There is enough info on
> iptables now for me to sort through however I like the gui idea that shows
> me if someone is probing a port and allows me to allow/block activity
> without having to rewrite a script and restart iptables manually.

Check out PortSentry (http://www.psionic.com/products/portsentry.html).  It
does this without any user interaction.
--
Scott Duckworth
Computer engineering student and wanna-be know-it-all.  ;)

Quote:> About a year and a half ago I started with linux and attempted to
> learn the
> ins and outs of iptables.  As it was, linux took some getting used
> to, iptables info seemed sparse, and I ran across Firestarter (gui
> for
> iptables).  Firestarter gave me some sense of security quickly but
> I wanted
> to eventually get around to learning iptables.  There is enough
> info on iptables now for me to sort through however I like the gui
> idea that shows me if someone is probing a port and allows me to
> allow/block activity without having to rewrite a script and

You should deny everything in the first place, NOT setup a "low"
security, then watch the logs and change your setup, while you
think, mhhh there's someone trying to crack me, lets close that
port. That's a complete wrong understanding of security.

Quote:> restart iptables manually. Firestarter supposedly allows one to
> modify the scripts it uses and I may go that route but was
> interested to know if anyone is using another method to monitor
> iptable activity "more-or-less" realtime. Thanks,

Realtime monitoring, no problem, tcpdump is for sure the prefered
tool, or use ethereal, if you really think you need a GUI. Albeit
it's a waste of time, tcpdump will have switched the device in
promiscous mode and deliver what you want to see, even before some
fancy GUI tool has started...;-) man tcpdump

Michael Heiming
--
Remove the +SIGNS case mail bounces.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[...]

Quote:>> interested to know if anyone is using another method to monitor
>> iptable activity "more-or-less" realtime. Thanks,

> Realtime monitoring, no problem, tcpdump is for sure the prefered
> tool, or use ethereal, if you really think you need a GUI. Albeit
> it's a waste of time, tcpdump will have switched the device in
> promiscous mode and deliver what you want to see, even before some
> fancy GUI tool has started...;-) man tcpdump

Beware that there are some vulnerabilities that have been discovered
in tcpdump which could leave you compromised. Check bugtraq for more
information.

Personally, I grab the traffic from the kernel by using QUEUE and
post-process it using tcpdump when I am ready to look at it.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE9ME4DwBVKl/Nci0oRAma1AJ92Zp352jAg7zLZrSfWpx13GRNBWwCbBvmB
gG10eCc2rmwX+pnqqKBA8VY=
=M1gS
-----END PGP SIGNATURE-----

Hello Ian,

Thx for the info...;-)

Quote:> Personally, I grab the traffic from the kernel by using QUEUE and
> post-process it using tcpdump when I am ready to look at it.

Sounds great, however I'm working with several different unix
systems, makes you concentrate on tools, that can be found on every
system, even if the usage differs a little bit.

Michael Heiming
--
Remove the +SIGNS case mail bounces.

Quote:> A shadow rushes through the grasslands      |http://spodzone.org.uk/
> To the dying sun                            |

Is there documentation at netfilter or somehwere that explains the output of
the fwlogwatch? for example
#         CHAIN                                                 INTERFACE
SOURCE                        DESTINATION
2 SuSE-FW-UNAUTHORIZED-ROUTING     eth0                 134.114.172.153
10.168.10.10

Ah, how about this?

http://logi.cc/linux/netfilter-log-format.php3