topic Re: Enable Logging on RH 7.3 Firewall in Operating System - Linux

Enable Logging on RH 7.3 Firewall

varian_1 — Mon, 13 Oct 2003 09:46:10 GMT

Hi,

I am using RedHat 7.3 with firewall on Multihome machine. I have configured the rules thru Firewall-config utility & its working fine.
But no log is being generated of the firewall rules either in /var/log/messages or /var/log/secure .

Can please let me know how to enable the logging into Linux 7.3 Firewall, so that the log can be generated of the packet passed thru the firewall & packet denied thru the firewall.

Thanks in advance.

Varian.

Re: Enable Logging on RH 7.3 Firewall

Steven E. Protter — Mon, 13 Oct 2003 10:05:52 GMT

Which firewall are you using, iptables or ipchains.

I don't currently keep a log on my iptables firewall but want to. If your question is an iptables question, I'll figure it out and get back to you. FAST.

Firewall configuration is in the following file:

/etc/sysconfig/iptables or ipchains

Depending on which one you are using.

SEP

Re: Enable Logging on RH 7.3 Firewall

Alexander Chuzhoy — Mon, 13 Oct 2003 10:06:27 GMT

try to execute the command from command promt.I think RedHat 7.3 uses ipchains by default and it there is a newer application called iptables
here is the example of adding a rule with logging using iptables
iptables -A INPUT -p tcp -m multiport -m state --state NEW --dport 22,25,110,113 -i eth0 -m limit -j LOG --log-prefix "ACCEPTED:"

anyway if you still would like to use ipchains -see it's man.
by the way to stop using ipchains and to move forward to iptables you must do the following one by one:
chkconfig ipchains off
chkconfig --del ipchains
chkconfig --add iptables
chkconfig iptables on

Re: Enable Logging on RH 7.3 Firewall

Steven E. Protter — Mon, 13 Oct 2003 12:59:06 GMT

You don't want to use ipchains. Its obsolete.

I'm going to need a couple of hours to play around and get you a working configuration.

If I find a doc, I'll post it and give you a head start.

Here is a possbility.
http://linux.ardynet.com/ipmasq/ipmasq.php3#iptables
What I have yet to figure out is how to define the logfile. Then of course, you have to filter and interpret the log file.
I will give this a shot in about 7-8 hours when I get to my test Linux Server.

Please if my work is useful reward it with the point system.

SEP

Re: Enable Logging on RH 7.3 Firewall

Steven E. Protter — Mon, 13 Oct 2003 13:46:49 GMT

I have messages logging to /var/log/messages

Here is how:
in /etc/sysconfig/iptables same rule as you were editing...

-A INPUT -d ip_of_nic -m state RELATED,ESTABLISHED -j LOG --log-level 2 --log-tcp-sequence

Logging is pretty intense and I'm going to dial it back and play some more.

SEP

Re: Enable Logging on RH 7.3 Firewall

Steven E. Protter — Mon, 13 Oct 2003 14:09:43 GMT

I'm going to give it a rest now.

I found this document particularly useful.

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-iptables-options.html

Check the man on syslog.conf for directing the output into a different file. Watch diskspace on /var

SEP