Re: patch-o-matic drop table patch
On Wed, 25 Sep 2002 10:16:04 -0400 Quenten Griffith <qgriffith@edm1.com>
wrote:
> Ok your crazy...........using Fwbuilder if you want to use an option
> called "log all dropped traffic" you need to have the drop table patch
> applied to your kernel.
Ahhh... you didn't indicate that it was a limitation of Fwbuilder that was
causing the need. It is a simple matter to log all dropped packets under
iptables and doesn't require the "drop table patch". This is of course
assuming that the firewall was designed with this in mind. However, I'm
not familiar with Fwbuilder specifics. Here's an overview of how you
could go about this from a normal iptables perspective.
For each table (nat, filter, and mangle) create a new chain, call is
something like <table>_drop (i.e. filter_drop). Then add two rules to
these new chains, one to log the packet and one to drop the packet. Then
any time you would have used the DROP target in a give table instead use
the <table>_drop chain as your target instead. Additionally, make sure
that your default policies for all default chains in a table are set to
DROP and that the last rule in each of the default chains is a LOG target.
Now, any packet that is dropped will be logged just prior to being
dropped.
I implement something very similar to the above in the script I maintain
(http://asgardsrealm.net/linux/firewall).
--
Jamin W. Collins
Reply to: