Re: Re: firehol logging to console

To: debian-firewall@lists.debian.org
Subject: Re: Re: firehol logging to console
From: Steffen Mutter <steffen@webanimations.de>
Date: Sun, 10 Feb 2008 09:12:07 +0100
Message-id: <[🔎] 47AEB1D7.6060302@webanimations.de>
In-reply-to: <20040428155012.GA4515@idssecure.org>
References: <20040428155012.GA4515@idssecure.org>

FireHOL logs the messages which where dropped even if the request wasokay, but it was dropped - for example - because the client did not sendback the reply in time. This happens often with TCP, cause the clientsshould send back their reply _immediately_ after receiving the answerfrom your machine running firehol.

Here we come to the firehol loglevel parameter you may set in thefirehol config file, to get rid of the messages. On any Debian/GNU-Linuxmachine the Loglevel is set to 'warning' matching to the iptablesresponses giving back to the kernel - this is why thosefirewall-comments put in the syslog and stored in /var/log/messages andcan be seen in demsg.In my opinion you don't need to get 'warned' by messages in syslog whichwhere dropped, cause this is the usecase for a firewall, isn't it?

The easiest way to get rid of it is, to attach

FIREHOL_LOG_LEVEL="<new loglevel>"

to the new value which is useful for you in your firehol.conf.
(/me uses "error")

loglevel	system
debug		if your firewall does not work properly. you get lots of 		entries!
info		just informs you what's going on. Still lots of messages

notice		normal, but many significant statements

error		this makes sense for me. Silence in your syslog until
		something really ugly happens!

crit		well, if you get critical messages you should turn your
		firewall off :-P

emerg		it's not useful to set your loglevel to this, because
		your system is already unusable

If you're still sure you want a logfile for your firewall on your own, Ifound a tutorial here:

http://lists.debian.org/debian-firewall/2004/05/msg00166.html
This solution uses ULOG (depricated) and your kernel needs to support this!
Attatch those lines to your firehol.conf:
FIREHOL_LOG_MODE="ULOG"
FIREHOL_LOG_LEVEL="--log-level warning"
FIREHOL_LOG_OPTIONS="--log-tcp-options --log-ip-options"
FIREHOL_LOG_FREQUENCY="1/second"
#FIREHOL_LOG_FREQUENCY="30/minute"
#FIREHOL_LOG_BURST="5"
FIREHOL_LOG_BURST="2"
restart your firehol and your iptables-messages will be stored
in /var/log/ulog/syslogemu.log

(never tested this one, it's nonsense for me)

please read the fine documentation at
http://firehol.sourceforge.net/commands.html#loglimit
for further reference.

With RedHat Linux you have a bit more trouble with this issue, but thisis a Debian ressource here, isn't it ;-)


RATE this package there:
http://freshmeat.net/rate/30942/

it's very, very useful IMHO and most people don't know about FireHol andget brainfucked when trying to set up a firewall - but it can't beeasier if you know what to use to build up your iptable rules...


Kind regards from Germany,
SMut

Reply to:

Next by Date: Can't get iptables LOG
Next by thread: Can't get iptables LOG
Index(es):
- Date
- Thread