[opensuse-security] How can I tell susefirewall not to log about a certain port?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, In the /etc/sysconfig/SuSEfirewall2 file I have: FW_SERVICES_EXT_TCP="4662" But entries to that port are logged: Jul 15 14:07:25 nimrodel kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=189.... DST=192.168.1... LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=6454 DF PROTO=TCP SPT=50867 DPT=4662 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (0204058401010402) As it is a port I opened, I understand it should not be logged, it is not a "critical" port. I have: FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" What could I do so that they are not logged? I want other port logged, but not those I explicitly opened myself. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGmg9ZtTMYHG2NR9URArYzAJ9Ty4P6d6pGX4TuOrv/8L4CPCWbsgCgjPOM lz6ZfwgOR1Eawj7JVyde26k= =ojto -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi, I have also spend some time with this exact same issue but unfortunately I do not have a solution for this, but it would be wyse to remember that particular port is the default for a very well known application that I would seriously advise to log. The ideal would be to have a separate log just for this port. This adds another level of complexity in the issue, but IMHO it would be the perfect solution ... Regards, Pedro --- "Carlos E. R." <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
In the /etc/sysconfig/SuSEfirewall2 file I have:
FW_SERVICES_EXT_TCP="4662"
But entries to that port are logged:
Jul 15 14:07:25 nimrodel kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=189.... DST=192.168.1... LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=6454 DF PROTO=TCP SPT=50867 DPT=4662 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (0204058401010402)
As it is a port I opened, I understand it should not be logged, it is not a "critical" port. I have:
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no"
What could I do so that they are not logged? I want other port logged, but not those I explicitly opened myself.
- -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFGmg9ZtTMYHG2NR9URArYzAJ9Ty4P6d6pGX4TuOrv/8L4CPCWbsgCgjPOM
lz6ZfwgOR1Eawj7JVyde26k= =ojto -----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sunday 15 July 2007 15:13:12 Carlos E. R. wrote:
Hi,
In the /etc/sysconfig/SuSEfirewall2 file I have:
FW_SERVICES_EXT_TCP="4662"
But entries to that port are logged:
Jul 15 14:07:25 nimrodel kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:08:00 SRC=189.... DST=192.168.1... LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=6454 DF PROTO=TCP SPT=50867 DPT=4662 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (0204058401010402)
As it is a port I opened, I understand it should not be logged, it is not a "critical" port. I have:
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no"
What could I do so that they are not logged? I want other port logged, but not those I explicitly opened myself.
Hi, Since SuSEfirewall is merely a front-end for iptables, you can accomplish what you need by taking advantage of the following fact: iptables rules that have a target ACCEPT, DROP or REJECT cause the processing of subsequent rules to be terminated. To do logging, SuSE firewall sets two rules for the specific match: forst a LOG rule and then a ACCEPT/DROP rule to specify the packet's fate. This allows you to do the following: Editing the /etc/sysconfig/scripts/SuSEfirewall2-custom file and find the fw_custom_before_port_handling() function definition. Inside the function (that is - before the 'true' command) add a rule that would accept all traffic to the port in question. That should be something like this: iptables -t filter -I input_ext -p tcp --dport 4662 -j ACCEPT You should no longer see any logging output for that port. A drawback is that you should add a rule for each port you have opened. You can overcome this by creating a script that would check the firewall's configuration file in /etc/sysconfig and add ACCEPT rules for each port opened (mind that services might be specified by both port number and service name for well-known services, as found in /etc/services file). If you have trouble writing such a script, please don't hesitate to contact me again. Best regards. -- Blade hails you... The music is dead, the amen is said The kiss of faith is what I beg --Nightwish
Carlos E. R. wrote:
[...] FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no"
What could I do so that they are not logged? I want other port logged, but not those I explicitly opened myself.
Set FW_LOG_ACCEPT_CRIT=no cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Boyan Tabakov -
Carlos E. R. -
Ludwig Nussel -
pedrocsort-e@yahoo.com