How do I get a firewall to list what it is doing in /var/log/messages 2

[fenris]

I went to

http://www.linux-firewall-tools.com

and created a firewalling script for my machine.

I also went to

http://www.linux-mandrake.com

site and followed there demo on how to install a firewall. The odd thing was they made extensive use of ktail to monitor what was happening in the /var/log/messages and it should that the firewall was actively working. When I tried this, the only thing that I got was my su'ing! I don't know what is going on here. If you want me to post the contents of the firewall, I will but there is quite a large number of lines to contend with.

 

[fenris]

I find a snippet in the firewall code that may tell you where it is logging to. I am not sure whare it is logging to from the snippit below.

# Enable logging for selected denied packets

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp --destination-port $PRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp --destination-port $UNPRIVPORTS -j DENY -l


ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type 5 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp --icmp-type 13:255 -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l

 

[AndyBo]

The key argument is the "-l" at the end of each ipchains command. This turns logging on for the rule that is being created.

 

[AndyBo]

Doh! I forgot to say, acording to the ipchains man page, this logs using the printk() function. According to the prink() man page, it logs to the system console. So, you may find your console device getting spammed with firewall messages. They will also be logged to /var/log/console.

 

[fenris]

Thank you very much andy I will try that as soon as I get home. I knew it was going somewhere but I just didn't know where. Thank you for explaining how you arrived at your solution, it will give me another option the next time I run into problems, Thanks. BTW, would the man pages have any good receipes for spaghetti sauce

 

[AndyBo]

Hehe - not the man pages, exactly, but if you ever get the emacs source, take a look in the documentation that is supplied for some laughs, and a recipe or two ;^)

 

[fenris]

I tried looking at /dev/console but nothing is being displayed there. I don't know where else to look. It seems that my firewall is not running then?

I also broke ktail, I am not sure what happened but when I run it I get the error message:
KCharset: Wrong charset!

I don't know what caused this. As far as I know I didn't do anything, but I know it probably was my fault.

 

[fenris]

I have a related question. I got my firewall script configured at

http://www.linux-firewall-tools.com

and I am not sure how to modify it so that it works with my pppoe. Would I configure the script as if the system was using ppp? If that were the case then I would modify the script and where I would specify ppp0 as the internet connection, in it's place I would put eth1? Would it help if I posted the script? It is rather long and I am not sure if it would help

 

[AndyBo]

Doh! I got my systems mixed up when I posted about "/var/log/console". This file may not exist on your Linux server, so take a look in /var/log/syslog, /var/log/daemon, and others, for messages from the firewall. Sorry for the confusion!

On a related note, /dev/console the device file for the console. If you ran a command "echo Hello World! >/dev/console", it will appear on the system console. This is usually the first virtual screen on a Linux box. Press Ctrl+Alt+F1 to view it, and Ctrl+Alt+F7 to get back to X.

The "printk" command prints kernel related error messages via the syslog facility to the system console. So, depending upon some paramters passed to "printk" when it runs, it will also log to a text file.

Most messages sent to /dev/console are also logged to a text file in /var/log. (Don't worry, though, normal output isn't, so you won't get big vi sessions that take place on the console logged, for example.) It's a security thing, as the console is only so long, you can only view so many messages. So, things like error and status messages, and output from the kernel relating to firewall events, are logged in files in /var/log.

If you want to make sure that your firewall is running:
[tt]
cat /proc/net/ip_fwchains
[/tt]
The output you receive is a list of the current ipchains rules that are being used by the system. If you don't get any output then the kernel does not have any rules loaded. If you want a user friendly view on the information, install and run "gfcc". Click the "System" button to view the rules currently being used by the system.

Now, if you have some rules set up, but you aren't getting messages logged to the console or /var/log files, this is a good thing! It means that there have been no attempts to violate any of the firewall rules that you have set up.

With "ktail", I don't think you have broken anything. The "KCharset" message is to do with KDE's internationalisation. If the program you are running doesn't recognise your KDE locale settings, you get this message. "ktail" should still run, though.

I've actually seen this message a lot when I've set my language setting to "English UK (en_UK)", normally when running a KDE program from the command line. If you run the command from the menu, I think that you still get the errors, but they get dumped to "$HOME/.xsession-errors".

Finally, on the firewall script, can you grab a few lines from it and post them here? I think I know what you will need to do, but I'd like to see some examples before moving on

Sorry for the long post, and any confusion caused by my previous post. I'll have to stop posting on Friday afternoons!

 

[fenris]

Thank you for the reply Andy, I don't mind reading long but informative posts As soon as I get home I will post some snippets of the script. Are there any sections that you would like to see in particular? Because I am not sure what is important and what isn't as important to getting it to run. As far as the ktail problem goes, I usually activate it from an xterm console. It worked fine for a few days (when I started to use it to monitor my logs) but it stopped working when I su to root and activated it. When I was su'd to root and ran ktail, it would display the KChar error and freeze the terminal window. But when I activated ktail from my regular user account it would display the KChar error three times and them ktail would run. I looked at kde.org and they say this error is normal. That is fine and dandy, but I can activate ktail from suing to root. The reason I need to activate ktail as root is to view the /var/log/messages because regular users don't have access to it.

Thanks for the help, I will mess around with things when I get home.

 

[AndyBo]

Troy, could you post some of the "ipchains" commands? This is where the interface should be specified.

On the ktail front, have your tried running it from "kdesu"? This might work a little better for you.

 

[fenris]

Here is the firewall that seems to be working. It was installed with the roaring penguin package.I will put the whole thing here as it is not to long....

=====================================

#!/bin/sh
#
# firewall-masq This script sets up firewall rules for a machine
# acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.

# Interface to Internet
EXTIF=ppp+

ANY=0.0.0.0/0

ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY

ipchains -F forward
ipchains -F input
ipchains -F output

# Deny TCP and UDP packets to privileged ports
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY

# Do masquerading
ipchains -A forward -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
# Mandrake-Security : if you remove this comment, remove the next line too.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter



===================================

Here is piece of another script that I have been trying to get working

=================================
#!/bin/sh
#
# IPCHAINS-FIREWALL V1.8.0
#
# -------------------------------------------------- Ipchains Firewall Script -
#
# Original script by Ian Hall-Beyer (manuka@nerdherd.net)
#
# Contributors:
# terminus (cpm@dotquad.com) (ICQ & DHCP, @home testing)
# djv (djv@hotmail.com) Additions from other strong rulesets, for
# Linuxnewbie.org, modified on 28 Feb 00.

# ---------------------------------------------------------------- Interfaces -
# Local Interface
# This is the interface that is your link to the world

LOCALIF="ppp+"

# ------------------------------------------------------- Variable definition -
#
# Set the location of ipchains.

IPCHAINS="/sbin/ipchains"

# You shouldn't need to change anything in the rest of this section

LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"

echo "------------------------------------"
echo "Setting up Mack-Daddy firewall on:"
echo "IP ($LOCALIF): $LOCALNET"
echo "------------------------------------"

REMOTENET="0/0"

# -------------------------------------- Flush everything, start from scratch -

echo -n "Flushing rulesets.."

# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."

# Outgoing packets from the internal network
$IPCHAINS -F output
echo -n "."

echo "Done!"

# ----------------------------------------------------------- Prevent Spoofs -

echo -n "Spoof protection.."

# Set up variables to make life easier

LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address


# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from the external address.
$IPCHAINS -A input -i $LOCALIF -s $LOCALIP -j DENY -l
echo -n "."

# Refuse packets claiming to be from a Class A private network
$IPCHAINS -A input -i $LOCALIF -s $CLASS_A -j DENY
$IPCHAINS -A input -i $LOCALIF -d $CLASS_A -j DENY
echo -n "."

================================
Thanks for any help that can be offered... I still can't get ktail to work .....

 

[fenris]

Here is the firewall that seems to be working. It was installed with the roaring penguin package.I will put the whole thing here as it is not to long....

=====================================

#!/bin/sh
#
# firewall-masq This script sets up firewall rules for a machine
# acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.

# Interface to Internet
EXTIF=ppp+

ANY=0.0.0.0/0

ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward DENY

ipchains -F forward
ipchains -F input
ipchains -F output

# Deny TCP and UDP packets to privileged ports
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY
ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY

# Do masquerading
ipchains -A forward -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
# Mandrake-Security : if you remove this comment, remove the next line too.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter



===================================

Here is piece of another script that I have been trying to get working

=================================
#!/bin/sh
#
# IPCHAINS-FIREWALL V1.8.0
#
# -------------------------------------------------- Ipchains Firewall Script -
#
# Original script by Ian Hall-Beyer (manuka@nerdherd.net)
#
# Contributors:
# terminus (cpm@dotquad.com) (ICQ & DHCP, @home testing)
# djv (djv@hotmail.com) Additions from other strong rulesets, for
# Linuxnewbie.org, modified on 28 Feb 00.

# ---------------------------------------------------------------- Interfaces -
# Local Interface
# This is the interface that is your link to the world

LOCALIF="ppp+"

# ------------------------------------------------------- Variable definition -
#
# Set the location of ipchains.

IPCHAINS="/sbin/ipchains"

# You shouldn't need to change anything in the rest of this section

LOCALIP=`ifconfig $LOCALIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
LOCALMASK=`ifconfig $LOCALIF | grep Mask | cut -d : -f 4`
LOCALNET="$LOCALIP/$LOCALMASK"

echo "------------------------------------"
echo "Setting up Mack-Daddy firewall on:"
echo "IP ($LOCALIF): $LOCALNET"
echo "------------------------------------"

REMOTENET="0/0"

# -------------------------------------- Flush everything, start from scratch -

echo -n "Flushing rulesets.."

# Incoming packets from the outside network
$IPCHAINS -F input
echo -n "."

# Outgoing packets from the internal network
$IPCHAINS -F output
echo -n "."

echo "Done!"

# ----------------------------------------------------------- Prevent Spoofs -

echo -n "Spoof protection.."

# Set up variables to make life easier

LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address


# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from the external address.
$IPCHAINS -A input -i $LOCALIF -s $LOCALIP -j DENY -l
echo -n "."

# Refuse packets claiming to be from a Class A private network
$IPCHAINS -A input -i $LOCALIF -s $CLASS_A -j DENY
$IPCHAINS -A input -i $LOCALIF -d $CLASS_A -j DENY
echo -n "."

================================
Thanks for any help that can be offered... I still can't get ktail to work .....

 

[fenris]

Sorry about the double post.....My machine netscape locked up....

 

[AndyBo]

In the first script you want to modify EXTIP to be the name of your ADSL interface (ppp0?), and in the second you need to modify LOCALIF.

Of the two scripts, the second one does a simple spoofing check for packets pretending to be from your IP address, but actually originating from the outside world.

I would be tempted to copy the "privileged ports" rules from the first script to the second script, as the second doesn't seem to do this. Just copy them to the end of the script, after the "Class A address" check. I would also add a rule or two to block access to the X server from an outside address:
[tt]
# Refuse packets claiming to be from a Class A private network
$IPCHAINS -A input -i $LOCALIF -s $CLASS_A -j DENY
$IPCHAINS -A input -i $LOCALIF -d $CLASS_A -j DENY
echo -n "."

# Deny TCP and UDP packets to privileged ports
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 0:1023 -p udp -j DENY
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 0:1023 -p tcp -j DENY
echo -n "."

# Block attempts to connect to the X server from the outside world.
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 6000 -p udp -j DENY
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 6000 -p tcp -j DENY


[/tt]

From other posts, I think you are running a web server? If so, you will want to put a rule in to allow access to port 80. Put this rule at the end of the script. (Remember, with firewalls it's best to deny everything, and then allow a few things.) Here's the rule:
[tt]
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 80 -p tcp -j ACCEPT
[/tt]

So, by combining both scripts you end up with a pretty secure system. If possible, I would get the firewall and all of your required services up and running, and then try to run a utility such as SAINT or nmap from an external machine to "attack" your server and see what may still be vulnerable.

Hope this helps.

 

[fenris]

Thank you so much, I will try it when I get home... The second script is not a complete script, but only a snippet of it. I am not running a webserver, for the time being untill I understand completely how the firewall works....

How would I block the samba service from the outside, something like:

ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 $SAMBAPORT -p tcp -j DENY

where $SAMBAPORT is the port that is specific to samba. If I read the rules to block external trafic to X windows from your post, the rules to samba would be similar (?). I believe that samba resides on tcp port 139, but I have heard it associated with 138. As far as the udp ports go I really don't know. By firewalling all the ports this way, will that affect something like ftp through the firewall?

BTW, when I do an ifconfig when my ADSL connection is up, it does not show eth1 as active. But there is a script called adsl-status that shows the connection interface as being ppp0? I just noticed that last night so I will try configuring my firewall for this. Thanks for your help..

 

[AndyBo]

Glad to be of assistance

To block Samba, you are using the correct rule. However, it should already be blocked by the rule:
[tt]
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 0:1023 -p tcp -j DENY
[/tt]
This is denying access to all TCP ports in the range 0 to 1023, so Samba will be covered by that.

On the FTP front, I think you may need to open up ports 20 and 21 with the following rule:
[tt]
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 20:21 -p tcp -j ACCEPT
[/tt]
However, I'd test whether you can successfully run a FTP client from your box first. (Sorry if that's a little uncertain, but I'm not in a position to test this one ) If the FTP fails, then you should add the rule above.

One warning though - unless you want to offer FTP services from you Linux box, shutdown any local FTP servers that might be running as the rul above will open it up to external access.

Additionally, when setting up the "ACCEPT" rules you may want to specify the address of your server. At the moment, I've used "0.0.0.0/0" as the destination address. That lets people from the outside of the firewall access to any server on the inside of the firewall on the specified ports. Say your server address is 192.168.0.1 with a netmask of 255.255.255.0, you would need to specify "192.168.0.1/24".

Hope this helps.

 

[fenris]

Lets see if I get this straight. If I take the rule below,

ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 20:21 -p tcp -j ACCEPT

and modify it like so

ipchains -A input -l -i $LOCALIF -d 192.168.0.1/24 20:21 -p tcp -j ACCEPT

it would only allow access to the server and nothing else via the ports, or is it restricting outside access to only the server in question?

Sorry about this, but I am currently in the middle of the ipchains how-to and I probably have not made it that far yet. Thank you for your time, I appreciate it.

 

[chgwhat]

The syslog level is controled by /etc/syslog.conf
try adding a *.* /var/log/test to /etc/syslog.conf
kill -SIGHUP `cat /var/run/syslog.pid` to restart
and see if the log shows up in /var/log/test


My output is a follows
Aug 28 23:00:48 lgw kernel: Packet log: input DENY eth0 PROTO=6 192.168.2.1:52
338 192.168.1.1:110 L=44 S=0x00 I=42217 F=0x4000 T=240 SYN (#65)

 

[AndyBo]

Troy, the rule:

ipchains -A input -l -i $LOCALIF -d 192.168.0.1/24 20:21 -p tcp -j ACCEPT

allows access to the FTP ports on the named server only. In other words, only 192.168.0.1 can provide an FTP service through your firewall.

Say you had 5 servers behind the firewall, and you wanted two of them (192.160.0.1 and 192.168.0.3) to provide FTP services, the following rules would allow this:
[tt]
# Deny access to all privileged ports on all servers.
ipchains -A input -l -i $LOCALIF -d 0.0.0.0/0 0:1023 -p tcp -j DENY

# Allow FTP access to two servers.
ipchains -A input -l -i $LOCALIF -d 192.168.0.1/24 20:21 -p tcp -j ACCEPT
ipchains -A input -l -i $LOCALIF -d 192.168.0.3/24 20:21 -p tcp -j ACCEPT
[/tt]
Of course, as it stands all other services (such as http) would still be blocked, and you would need to add new rules to allow access to them.


Tony, thanks for the syslog tip! I had forgotten about doing that kind of "log evertyhing" set up. It will be excellent for testing the firewall set up