File: README.firewall

package info (click to toggle)
fwanalog 0.6.9-8
  • links: PTS
  • area: main
  • in suites: bookworm, bullseye, buster, sid
  • size: 1,004 kB
  • ctags: 25
  • sloc: sh: 1,541; makefile: 48
file content (128 lines) | stat: -rw-r--r-- 4,883 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
Configuring the firewall for fwanalog
=====================================
- Make sure that each dropped packet is logged, only dropped packets are
  logged (however, some firewalls log this info, so fwanalog can
  distinguish them itself), and each packet is only logged once. (If you
  like precise statistics, that is.)
  Note: The lines "last line repeated X times" in some logfiles are NOT
  processed by fwanalog. I know that this leads to lower numbers of
  blocked packets but can't really do anything about it - it would be
  too hard to parse this with shellscript only. I don't think that this
  is a huge problem because if a host sends you the same packet so
  quickly it will stand out in the logs anyway.

- It is a good idea to use "--log-prefix some_info_about_the_block" with
  iptables. Because of a limitation in Analog's username parsing, you
  can't use spaces in the log prefix. (You *can* use them but fwanalog
  will only use them until the first space. So "bad in" and "bad out"
  become "bad". Use "bad_in" and "bad_out".)

  (Does another firewall support this? I would gladly include this
  feature for the other ones.)

- Some versions of ipf offer to resolve IP addresses and port numbers to
  hostnames and service names. You shouldn't do this with fwanalog
  because analog can do it better (and fwanalog won't work at all with
  such logs because it expects IP addresses and numeric port names).

Alternative syslog implementations
==================================
There some alternatives to the good old syslog and they have possibly
differing log formats. 
Fwanalog doesn't support those by default because that would mean supporting X
different firewall formats multiplied by Y syslog formats and the result would
be entirely unmaintable. 
Here are a few hints on what you can do.

- Metalog: One colon (:) before the log message is missing. Find this colon in
  the regular expression of your firewall function, or pre-process your logs
  and add the colon on the right place.

How to setup syslog on a NETGEAR or ZyXEL Internet Gateway Router's ZyNOS
=========================================================================

By Matt Christian <mattc@visi.com>
Version 1.1

The below instructions assume that you are familiar with telnet and making
some Unix configuration changes.  If you aren't then you may want to ask
a knowledgeable friend for help.

1. Telnet into your router (default: 192.168.0.1 or 192.168.1.1)
  $ telnet 192.168.0.1

2. Login using your password (default: 1234)
  Password: ****

3. Navigate the following menus (type in the number and press enter/return)
  "24. System Maintenance" -> "3. Log and Trace" -> "2. UNIX Syslog"

4. You should see a menu similar to example below:

                 Menu 24.3.2 - System Maintenance - UNIX Syslog

                    Syslog:
                    Active= No
                    Syslog IP Address=
                    Log Facility= Local 1

                    Types:
                    CDR= No
                    Packet triggered= No

                    Filter log= No
                    PPP log= No

5. Set the following information (follow prompts at bottom of screen)
   Active = Yes, Syslog IP Address = fwAnalog machine,
   Log Facility = your choice, CDR = Yes, Packet triggered = Yes,
   Filter log = Yes, PPP log = Yes

6. At the prompt, press ENTER, ESC, ESC, 99 to exit

7. On the fwAnalog machine (the IP you put in for "Syslog IP Address"),
   setup your syslog.conf to log the syslog facility (you put in for
   "Log Facility") to a log file.  For example, if you used "Local 1" then
   your syslog.conf file should contain something like the following:

local1.*                        -/var/log/router.log

8. Restart the syslogd daemon, usually by sending a SIGHUP signal to it.

9. Modify the fwanalog.opts file to pick up this log file (or files if you
setup log rotation on this log file).

10. Enjoy!

Setting up logging for fwanalog on a Cisco PIX firewall
=======================================================

By Ric Moseley <ric@theplanet.com>

On the PIX firewall running version 6.22 I added the following commands
to turn logging on.

logging on
logging timestamp
logging console warnings
logging buffered warnings
logging trap warnings
logging history warnings
logging facility 20
logging host [<interface_name>] <ip_address> [tcp|udp/port#]

Add this to your syslog.conf on the logging host:
local4.debug                    /var/log/firewall

Setting up logging for fwanalog on a Watchguard Firebox System 6.1
==================================================================

By Ric Moseley <ric@theplanet.com>

Open up the policy manager and go to 'setup->logging'.
Choose the syslog tab and fill in the server IP and the facility.

Set up the logging host like for Cisco.


$Id: README.firewall,v 1.6 2004/03/18 16:34:45 bb Exp $