floppyfw
log remote

Archival page … no longer updated.

How to log floppyfw activity to a remote pc

•  floppyfw config • floppyfw firewall.ini • remote logging in » Linux • Windows™ • Oregon grin •

  • What you will need

  • I used the floppyfw-3.0.12 release with these examples but any stable 3.0.xx release will do.
  • A linux system will contain the required software to setup remote logging.
  • If you are going to log to a Windows™ pc, I highly recommend Kiwi Syslog Daemon.

  • Configuration Procedure

  • floppyfw config
  • The floppyfw config file settings for remote logging to a pc on your network will require a few changes from the defaults. The following annotated example would log to the pc with IP address 10.42.42.2 as the logging (listening to udp port 514) pc on the network.
  • Note that the red portions are changed from the defaults and where the entire line is red, a comment "#" has been removed as well. A modified section of the floppyfw config file - 
    # 
# Turning on syslogd and klogd. 
# This is a nice thing but will eat CPU which is why it is turned 
# off by default.
# The firewall.ini file is where you can turn on logging of rejected packages.
#
USE_SYSLOG=y

# Uncomment to log to /dev/vc/4 instead of /var/log/messages
# which aren't exactly a good idea on a ramdisk.
SYSLOG_TTY="-O $DEBUG_LOG"
# Or the another virtual console than the other messages:
SYSLOG_TTY="-O /dev/vc/4"

# Uncomment to log to network. host:port
SYSLOG_NET="-R 10.42.42.2:514"

# Uncomment to not print a mark
SYSLOG_MARK="-m 0"

[ "$SYSLOG_TTY" -a "$SYSLOG_NET" ] && SYSLOG_BOTH="-L"
SYSLOG_FLAGS="$SYSLOG_MARK $SYSLOG_TTY $SYSLOG_NET $SYSLOG_BOTH"
  • The config file changes are the same for a Linux or Windows™ based, remote logging pc.

•  floppyfw config • floppyfw firewall.ini • remote logging in » Linux • Windows™ • Oregon grin •

  • floppyfw firewall.ini
  • The floppyfw firewall.ini file is where the information to be logged is selected and this is done using a basic format as shown in the following annotated example.
  • The section titled "LOG Chains" below in red color may be added just after the default "DROP everything" policy in firewall.ini. 
    #
# Policy for chains DROP everything
#

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# LOG Chains
iptables -N SynfloodLOG
iptables -A SynfloodLOG -m limit -j LOG --log-prefix "Syn-flood DROP [-]: "
iptables -A SynfloodLOG -j DROP
#
iptables -N NewnotsynLOG
iptables -A NewnotsynLOG -m limit -j LOG --log-prefix "Newnotsyn DROP [-]: "
iptables -A NewnotsynLOG -j DROP
#
iptables -N StateLOG
iptables -A StateLOG -j LOG --log-prefix "State DROP [-]: "
iptables -A StateLOG -j DROP
#
iptables -N ap113LOG
iptables -A ap113LOG -m limit -j LOG --log-prefix "ap113LOG RET [-]: "
iptables -A ap113LOG -j RETURN
  • Just below where we inserted the LOG Chains above in firewall.ini, we'll look at the synflood item we've set up to log and drop above and how we'll need to change it below in firewall.ini.
  • The "iptables -A syn-flood -j DROP" line (shown commented out below) is what is in firewall.ini by default and would drop any syn-flood attempts without logging them. By replacing it with the red line just below it, the syn-flood attempt will instead, jump to the SynfloodLOG target in the newly created LOG Chain by the same name above, get limited and logged with a "Syn-flood DROP [-]: " prefix. 
    #
# SYN-Flooding protection
# Looks good and nicked from a firewall script mentioned on floppyfw.something.
# Didn't work that well.. 
#
iptables -N syn-flood
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
# iptables -A syn-flood -j DROP
iptables -A syn-flood -j SynfloodLOG
  • In a similar manner, the other LOG Chains targets above will need editing in firewall.ini as follows - 
    # Make sure NEW tcp connections are SYN packets
# iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j DROP 
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j \
NewnotsynLOG

#
# Keep state and open up for outgoing connections.
#
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j StateLOG

#
# If the user wants to have the fake identd running, the identd has to
# be able to answer.
#
if [ ${FAKEIDENT} ] 
then
  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j ACCEPT
else
  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j ap113LOG
  iptables -A INPUT -p TCP --dport 113 -i ${OUTSIDE_DEVICE} -j REJECT \
--reject-with tcp-reset
fi
  • Please note that if you do NOT have the FAKEIDENT setup, the authentication port 113, as shown, is set up to log any access attempt on port 113 and instead of a DROP target in the LOG Chain, it has the RETURN target. This will return to the next line in the firewall.ini script and handle the packet with a REJECT --reject-with tcp-reset jump target. The added rule shown in red and ap113LOG "LOG Chain" RETURN target is what allows you to log it BEFORE you decide to REJECT it.
  • Also see Some useful references: iptables-tutorial link at the bottom of this page.

•  floppyfw config • floppyfw firewall.ini • remote logging in » Linux • Windows™ • Oregon grin •

  • remote logging in Linux
  • linux pc setup: To log your floppyfw box to a remote Linux host, the following files require editing. In my fedora core 5 examples below, the files /etc/sysconfig/syslog and /etc/rc.d/init.d/syslog (symlinked as /etc/init.d/syslog) were both edited to add the -r option to the variable "SYSLOGD_OPTIONS". This method works for the Redhat and Fedora flavors of Linux.
  • In Debian, for example, the file containing this "SYSLOGD_OPTIONS" variable is /etc/init.d/sysklogd. Your distro may be different yet, but you will need to start the syslog daemon with the -r option to get it listening on udp port 514 for log messages from your floppyfw host. Also See: syslogd man page. 
    fedora core 5 file: /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r"
• • •
    fedora core 5 file: /etc/rc.d/init.d/syslog (symlinked as /etc/init.d/syslog)
#!/bin/bash
#
# syslog        Starts syslogd/klogd.
#
#
# chkconfig: 2345 12 88
# description: Syslog is the facility by which many daemons use to log \
# messages to various system log files.  It is a good idea to always \
# run syslog.
### BEGIN INIT INFO
# Provides: $syslog
### END INIT INFO

# Source function library.
. /etc/init.d/functions

[ -f /sbin/syslogd ] || exit 0
[ -f /sbin/klogd ] || exit 0

# Source config
if [ -f /etc/sysconfig/syslog ] ; then
	. /etc/sysconfig/syslog
else
	SYSLOGD_OPTIONS="-m 0 -r"
	KLOGD_OPTIONS="-2"
fi
• • •
  • Next, you may need to edit the /etc/syslog.conf file. Fedora Core 5 default is shown in this example. Here is a good reference for understanding the entries in the syslog.conf file. Another good reference for the log levels will help as well. 
    fedora core 5 file: /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*							/dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none		/var/log/messages

# The authpriv file has restricted access.
authpriv.*						/var/log/secure

# Log all the mail messages in one place.
mail.*							-/var/log/maillog

# Log cron stuff
cron.*							/var/log/cron

# Everybody gets emergency messages
*.emerg							*

# Save news errors of level crit and higher in a special file.
uucp,news.crit						/var/log/spooler

# Save boot messages also to boot.log
local7.*						/var/log/boot.log
  • In summary, the floppyfw host will be sending the log data to the IP you selected (10.42.42.2 in this example) and the remote pc will be listening on udp port 514 to receive this data. Where it gets saved, and what gets saved, is determined by the settings in syslog.conf. The log level 6, 5, 4, 3, 2, 1 and 0 (info or higher) will be saved to /var/log/messages and mail, auth and cron messages will be excepted by the "mail.none;authpriv.none;cron.none" part in syslog.conf. If you login to your floppyfw box using public key authentication or pka, the connections will be logged to /var/log/secure using the settings in this example syslog.conf file. Your floppyfw logs will be mixed in with the logging pc's log messages but you can filter the log data based upon your floppyfw host name or IP to see the log data specifically from your firewall.
  • An excerpt from the sans.org paper1529.

    Preparing for Remote Logs
    In order to tell syslogd to accept remote logs, remote logging must be turned on in two configuration files. The two configuration file settings are similar, so the same change will be performed on both files. Modify the files /etc/init.d/syslog and /etc/sysconfig/syslog. The SYSLOGD_OPTIONS variable by default should be set to "-m 0". Add to this the -r option. This will make the line look like SYSLOGD_OPTIONS="-m 0 -r". Save and exit the file and restart syslog using the command service syslog restart.

    Client Setup - - -
    After the firewall setup, Syslog setup is needed. Unlike the server configuration, there is only a single file to modify. This file is /etc/syslog.conf. This file determines where to send log file entries. All messages, with the exception of mail, are by default placed in the /var/log/messages file, as long as they are of info or higher levels.
  • Also see Some useful references: sans.org paper1529.pdf link at the bottom of this page.
  • remote logging in Windows™
  • Windows™ pc setup: Windows™ requires a syslog daemon. Kiwi Syslog Daemon is an excellent choice and maintains a free version. It may be configured to run as an application or as a service in Windows 2000 or Windows XP. I run it as a service. Both versions are included in the same download.
  • Quoted from the Kiwi Syslog Daemon web site:

    "Kiwi Syslog Daemon is designed to be as flexible and as easy to use as possible. For this reason it is extremely easy to initially setup. To setup Kiwi Syslog Daemon all you need to do is install the application in the desired location on your system. By default it will listen for syslog messages that are sent to UDP port 514. For the basic configuration no further setup is required. To have Kiwi Syslog Daemon receive syslog messages you will need to configure your sending network devices to send their information to the IP address of the system that Kiwi Syslog Daemon is installed on. "

  • The Kiwi Syslog Daemon On-line Manual contains all you need to know to configure your pc for both the service edition and the application version.
  • remote logging in Oregon
  • a little remote logging history grin

•  floppyfw config • floppyfw firewall.ini • remote logging in » Linux • Windows™ • Oregon grin •

Some useful references:
floppyfw
iptables-tutorial
sans.org paper1529.pdf

Updated: 03-Jan-2012