Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] how to avoid logging ACCEPTs?
  • From: maarten van den Berg <maarten@xxxxxxx>
  • Date: Wed, 19 Jun 2002 01:13:51 +0200
  • Message-id: <200206190113.51773.maarten@xxxxxxx>
On Tuesday 18 June 2002 21:05, GertJan Spoelman wrote:
> On Tuesday 18 June 2002 19:30, Bob Berman wrote:
> > I am running SuSeFirewall2 and am also running a Gnutella service
> > on port 6346. I am getting tons of messages in my firewall log informing
> > me that connections to port 6346 are being accepted. I don't care to know
> > this. How can I set up an iptables rule to *not* log this fact?

> You don't need to add a rule, it's a config option.
> In firewall2.rc.config at 16.) set FW_LOG_ACCEPT_CRIT to "no"
> and you should be rid of those messages.

Very true, but is there a somewhat easy way to suppress only that connection ?
Suppose one's not interested in [gnutella,pop3] but still would like logs for
other ports/protocols [ssh,imap,cvs,whathaveyou] ?

I'm just inquiring because I myself could also use a somewhat more
fine-grained logging selection process, for instance not logging those pesky
'just-checking-if-I-have-new-mail-every-30-seconds' pop3 customers, or even
worse the onmipresent port 137, but being interested in _everything_ else.
As it is you can now choose between logging all 'deemed critical'
connections, and none whatsoever...

I suppose adding a rule in some (well-chosen!) hook in --custom.rules to
accept or deny will happily accomplish that, but you first have to enable
that all the way at the end, well past the 'expert options, do not touch'
-point ;-) and it is not too well documented how to do that (ie. not open
everything up by a typo/thinko).
Oh well... that's exactly what the "experts only" means I guess ;-))

Not to burden SuSE with still more work, but a new option in FW2 could be (I'm
just thinking aloud here...) a field where it its left up to the user to
define what exactly _will_ be defined as "CRIT" so as to be able to omit
certain ports. Like so:

##
# Leave these at "Default" if you don't know what these mean.
FW_LOG_ACCEPT_CRIT_LIST="21 22 25 143"
FW_LOG_DROP_CRIT_LIST="23 69 79"
#FW_LOG_DROP_CRIT_LIST="Default"

Although I know the SuSEfirewall quite well (better than I would've liked; it
is quite an impressive and complex filter!) since the time I tweaked some
statefullness into it back in the v1.7 days (to overcome the 'allow all
highports' ehm... misfeature ;-) mostly for 53/udp traffic, I'm still quite
sure I could not come up with a diff that adds the above feature...
Sorry. ;-)

I did not even mail Marc Heuse my changes back then because I was not real
confident in what I did was done in a clean way, and besides, who am I to
criticise _The_ SuSE filter? Since then AFAIK some official changes reflect
my own changes so that naturally boosted my confidence a bit. ;-))

Maybe Marc has some views on this... but he's probably quite busy.


Maarten


< Previous Next >
Follow Ups