Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] how to avoid logging ACCEPTs?
  • From: Bob Berman <rjberman@xxxxxxxxxxxxx>
  • Date: Wed, 19 Jun 2002 12:57:12 -0400 (EDT)
  • Message-id: <Pine.LNX.4.33.0206191253040.3590-100000@xxxxxxxxxxxxxxxxxxxxx>

This is a great idea to allow logging of only selected services.
I sure would like to see this in FW2.

I solved my problem by editing firewall2-custom.rc.config and adding
the following line:

/usr/sbin/iptables -I INPUT 1 -i eth0 -s 0.0.0.0/0 -d xx.xxx.16.210 -p tcp
--dport 6346 -j ACCEPT

Maybe it's not the most elegant solution, but it works for me!


On Wed, 19 Jun 2002, maarten van den Berg wrote:

> On Tuesday 18 June 2002 21:05, GertJan Spoelman wrote:
> > On Tuesday 18 June 2002 19:30, Bob Berman wrote:
> > > I am running SuSeFirewall2 and am also running a Gnutella service
> > > on port 6346. I am getting tons of messages in my firewall log informing
> > > me that connections to port 6346 are being accepted. I don't care to know
> > > this. How can I set up an iptables rule to *not* log this fact?
>
> > You don't need to add a rule, it's a config option.
> > In firewall2.rc.config at 16.) set FW_LOG_ACCEPT_CRIT to "no"
> > and you should be rid of those messages.
>
> Very true, but is there a somewhat easy way to suppress only that connection ?
> Suppose one's not interested in [gnutella,pop3] but still would like logs for
> other ports/protocols [ssh,imap,cvs,whathaveyou] ?
>
> I'm just inquiring because I myself could also use a somewhat more
> fine-grained logging selection process, for instance not logging those pesky
> 'just-checking-if-I-have-new-mail-every-30-seconds' pop3 customers, or even
> worse the onmipresent port 137, but being interested in _everything_ else.
> As it is you can now choose between logging all 'deemed critical'
> connections, and none whatsoever...
>
> I suppose adding a rule in some (well-chosen!) hook in --custom.rules to
> accept or deny will happily accomplish that, but you first have to enable
> that all the way at the end, well past the 'expert options, do not touch'
> -point ;-) and it is not too well documented how to do that (ie. not open
> everything up by a typo/thinko).
> Oh well... that's exactly what the "experts only" means I guess ;-))
>
> Not to burden SuSE with still more work, but a new option in FW2 could be (I'm
> just thinking aloud here...) a field where it its left up to the user to
> define what exactly _will_ be defined as "CRIT" so as to be able to omit
> certain ports. Like so:
>
> ##
> # Leave these at "Default" if you don't know what these mean.
> FW_LOG_ACCEPT_CRIT_LIST="21 22 25 143"
> FW_LOG_DROP_CRIT_LIST="23 69 79"
> #FW_LOG_DROP_CRIT_LIST="Default"
>
> Although I know the SuSEfirewall quite well (better than I would've liked; it
> is quite an impressive and complex filter!) since the time I tweaked some
> statefullness into it back in the v1.7 days (to overcome the 'allow all
> highports' ehm... misfeature ;-) mostly for 53/udp traffic, I'm still quite
> sure I could not come up with a diff that adds the above feature...
> Sorry. ;-)
>
> I did not even mail Marc Heuse my changes back then because I was not real
> confident in what I did was done in a clean way, and besides, who am I to
> criticise _The_ SuSE filter? Since then AFAIK some official changes reflect
> my own changes so that naturally boosted my confidence a bit. ;-))
>
> Maybe Marc has some views on this... but he's probably quite busy.
>
>
> Maarten
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
>


< Previous Next >