how to avoid logging ACCEPTs?
I am running SuSeFirewall2 and am also running a Gnutella service on port 6346. I am getting tons of messages in my firewall log informing me that connections to port 6346 are being accepted. I don't care to know this. How can I set up an iptables rule to *not* log this fact? Jun 18 12:48:40 telluride kernel: SuSE-FW-ACCEPTIN=eth0 OUT= MAC=00:50:da:5d:79:dc:00:03:fe:e2:40:8d:08:00 SRC=203. 195.148.135 DST=xx.184.16.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20700 DF PROTO=TCP SPT=63787 DPT=6346 WINDOW=163 84 RES=0x00 SYN URGP=0 OPT (020405B401010402) I am not an expert about iptables and would appreciate some help. Thanks!
On Tuesday 18 June 2002 19:30, Bob Berman wrote:
I am running SuSeFirewall2 and am also running a Gnutella service on port 6346. I am getting tons of messages in my firewall log informing me that connections to port 6346 are being accepted. I don't care to know this. How can I set up an iptables rule to *not* log this fact?
Jun 18 12:48:40 telluride kernel: SuSE-FW-ACCEPTIN=eth0 OUT= MAC=00:50:da:5d:79:dc:00:03:fe:e2:40:8d:08:00 SRC=203. 195.148.135 DST=xx.184.16.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20700 DF PROTO=TCP SPT=63787 DPT=6346 WINDOW=163 84 RES=0x00 SYN URGP=0 OPT (020405B401010402)
I am not an expert about iptables and would appreciate some help.
You don't need to add a rule, it's a config option. In firewall2.rc.config at 16.) set FW_LOG_ACCEPT_CRIT to "no" and you should be rid of those messages. -- GertJan
On Tuesday 18 June 2002 21:05, GertJan Spoelman wrote:
On Tuesday 18 June 2002 19:30, Bob Berman wrote:
I am running SuSeFirewall2 and am also running a Gnutella service on port 6346. I am getting tons of messages in my firewall log informing me that connections to port 6346 are being accepted. I don't care to know this. How can I set up an iptables rule to *not* log this fact?
You don't need to add a rule, it's a config option. In firewall2.rc.config at 16.) set FW_LOG_ACCEPT_CRIT to "no" and you should be rid of those messages.
Very true, but is there a somewhat easy way to suppress only that connection ? Suppose one's not interested in [gnutella,pop3] but still would like logs for other ports/protocols [ssh,imap,cvs,whathaveyou] ? I'm just inquiring because I myself could also use a somewhat more fine-grained logging selection process, for instance not logging those pesky 'just-checking-if-I-have-new-mail-every-30-seconds' pop3 customers, or even worse the onmipresent port 137, but being interested in _everything_ else. As it is you can now choose between logging all 'deemed critical' connections, and none whatsoever... I suppose adding a rule in some (well-chosen!) hook in --custom.rules to accept or deny will happily accomplish that, but you first have to enable that all the way at the end, well past the 'expert options, do not touch' -point ;-) and it is not too well documented how to do that (ie. not open everything up by a typo/thinko). Oh well... that's exactly what the "experts only" means I guess ;-)) Not to burden SuSE with still more work, but a new option in FW2 could be (I'm just thinking aloud here...) a field where it its left up to the user to define what exactly _will_ be defined as "CRIT" so as to be able to omit certain ports. Like so: ## # Leave these at "Default" if you don't know what these mean. FW_LOG_ACCEPT_CRIT_LIST="21 22 25 143" FW_LOG_DROP_CRIT_LIST="23 69 79" #FW_LOG_DROP_CRIT_LIST="Default" Although I know the SuSEfirewall quite well (better than I would've liked; it is quite an impressive and complex filter!) since the time I tweaked some statefullness into it back in the v1.7 days (to overcome the 'allow all highports' ehm... misfeature ;-) mostly for 53/udp traffic, I'm still quite sure I could not come up with a diff that adds the above feature... Sorry. ;-) I did not even mail Marc Heuse my changes back then because I was not real confident in what I did was done in a clean way, and besides, who am I to criticise _The_ SuSE filter? Since then AFAIK some official changes reflect my own changes so that naturally boosted my confidence a bit. ;-)) Maybe Marc has some views on this... but he's probably quite busy. Maarten
This is a great idea to allow logging of only selected services. I sure would like to see this in FW2. I solved my problem by editing firewall2-custom.rc.config and adding the following line: /usr/sbin/iptables -I INPUT 1 -i eth0 -s 0.0.0.0/0 -d xx.xxx.16.210 -p tcp --dport 6346 -j ACCEPT Maybe it's not the most elegant solution, but it works for me! On Wed, 19 Jun 2002, maarten van den Berg wrote:
On Tuesday 18 June 2002 21:05, GertJan Spoelman wrote:
On Tuesday 18 June 2002 19:30, Bob Berman wrote:
I am running SuSeFirewall2 and am also running a Gnutella service on port 6346. I am getting tons of messages in my firewall log informing me that connections to port 6346 are being accepted. I don't care to know this. How can I set up an iptables rule to *not* log this fact?
You don't need to add a rule, it's a config option. In firewall2.rc.config at 16.) set FW_LOG_ACCEPT_CRIT to "no" and you should be rid of those messages.
Very true, but is there a somewhat easy way to suppress only that connection ? Suppose one's not interested in [gnutella,pop3] but still would like logs for other ports/protocols [ssh,imap,cvs,whathaveyou] ?
I'm just inquiring because I myself could also use a somewhat more fine-grained logging selection process, for instance not logging those pesky 'just-checking-if-I-have-new-mail-every-30-seconds' pop3 customers, or even worse the onmipresent port 137, but being interested in _everything_ else. As it is you can now choose between logging all 'deemed critical' connections, and none whatsoever...
I suppose adding a rule in some (well-chosen!) hook in --custom.rules to accept or deny will happily accomplish that, but you first have to enable that all the way at the end, well past the 'expert options, do not touch' -point ;-) and it is not too well documented how to do that (ie. not open everything up by a typo/thinko). Oh well... that's exactly what the "experts only" means I guess ;-))
Not to burden SuSE with still more work, but a new option in FW2 could be (I'm just thinking aloud here...) a field where it its left up to the user to define what exactly _will_ be defined as "CRIT" so as to be able to omit certain ports. Like so:
## # Leave these at "Default" if you don't know what these mean. FW_LOG_ACCEPT_CRIT_LIST="21 22 25 143" FW_LOG_DROP_CRIT_LIST="23 69 79" #FW_LOG_DROP_CRIT_LIST="Default"
Although I know the SuSEfirewall quite well (better than I would've liked; it is quite an impressive and complex filter!) since the time I tweaked some statefullness into it back in the v1.7 days (to overcome the 'allow all highports' ehm... misfeature ;-) mostly for 53/udp traffic, I'm still quite sure I could not come up with a diff that adds the above feature... Sorry. ;-)
I did not even mail Marc Heuse my changes back then because I was not real confident in what I did was done in a clean way, and besides, who am I to criticise _The_ SuSE filter? Since then AFAIK some official changes reflect my own changes so that naturally boosted my confidence a bit. ;-))
Maybe Marc has some views on this... but he's probably quite busy.
Maarten
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Wednesday 19 June 2002 18:57, you wrote:
This is a great idea to allow logging of only selected services. I sure would like to see this in FW2.
I solved my problem by editing firewall2-custom.rc.config and adding the following line:
/usr/sbin/iptables -I INPUT 1 -i eth0 -s 0.0.0.0/0 -d xx.xxx.16.210 -p tcp --dport 6346 -j ACCEPT
If you add this as rule nr. 1 you shortcut all the anti-spoofing countermeasures. I would suggest that is not a good idea... ;)
Maybe it's not the most elegant solution, but it works for me!
Maarten
On Wed, 19 Jun 2002, maarten van den Berg wrote:
On Tuesday 18 June 2002 21:05, GertJan Spoelman wrote:
On Tuesday 18 June 2002 19:30, Bob Berman wrote:
<snip>
Not to burden SuSE with still more work, but a new option in FW2 could be (I'm just thinking aloud here...) a field where it its left up to the user to define what exactly _will_ be defined as "CRIT" so as to be able to omit certain ports. Like so:
## # Leave these at "Default" if you don't know what these mean. FW_LOG_ACCEPT_CRIT_LIST="21 22 25 143" FW_LOG_DROP_CRIT_LIST="23 69 79" #FW_LOG_DROP_CRIT_LIST="Default"
Although I know the SuSEfirewall quite well (better than I would've liked; it is quite an impressive and complex filter!) since the time I tweaked some statefullness into it back in the v1.7 days (to overcome the 'allow all highports' ehm... misfeature ;-) mostly for 53/udp traffic, I'm still quite sure I could not come up with a diff that adds the above feature... Sorry. ;-)
-- This email has been scanned for the presence of computer viruses. Maarten J. H. van den Berg ~~//~~ network administrator VBVB - Amsterdam - The Netherlands - http://vbvb.nl T +31204233288 F +31204233286 G +31651994273
participants (4)
-
Bob Berman -
GertJan Spoelman -
Maarten J H van den Berg -
maarten van den Berg