Hi,
I''d like to use psad from www.cipherdyne.com that analyze iptables log
messages on my firewall-shorewall.
It complains to incorrectly configured iptables when starting.
This is the message :
--------------------------------------------------------------------------------------------------
** The INPUT chain in the iptables ruleset on debian4 includes a default
LOG rule for all protocols, but the rule does not have a log prefix of
"DROP". It appears as though the log prefix is set to
"Shorewall:INPUT:REJECT:". psad will not be able to detect scans
without adding --log-prefix "DROP" to the rule.
** The INPUT chain in the iptables ruleset on debian4 does not include a
default DROP rule for all protocols.
** The FORWARD chain in the iptables ruleset on debian4 includes a default
LOG rule for all protocols, but the rule does not have a log prefix of
"DROP". It appears as though the log prefix is set to
"Shorewall:FORWARD:REJECT:". psad will not be able to detect
scans
without adding --log-prefix "DROP" to the rule.
** The FORWARD chain in the iptables ruleset on debian4 does not include a
default DROP rule for all protocols.
.. NOTE: IPTables::Parse does not yet parse user defined chains and so it
is possible your firewall config is compatible with psad anyway.
-----------------------------------------------------------------------------------------------------
Is there a way for shorewall to be comatible with psad ?
thanks & regards
Petr Novak
---
Odchoz? zpr?va neobsahuje viry.
Zkontrolov?no antivirov?m syst?mem AVG (http://www.grisoft.cz).
Verze: 6.0.520 / Virov? b?ze: 318 - datum vyd?n?: 18.9.2003
On Fri, 2003-09-19 at 06:52, Petr Nov?k wrote:> Is there a way for shorewall to be comatible with psad ?>From the above messages, it doesn''t seem likely.-Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-09-19 at 06:59, Tom Eastep wrote:> On Fri, 2003-09-19 at 06:52, Petr Nov?k wrote: > > > Is there a way for shorewall to be comatible with psad ? > > >From the above messages, it doesn''t seem likely. >Investigate the FW_MSG_SEARCH parameter in psad -- looks like you need to set that to "Shorewall:" or something similar. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-09-19 at 07:10, Tom Eastep wrote:> On Fri, 2003-09-19 at 06:59, Tom Eastep wrote: > > On Fri, 2003-09-19 at 06:52, Petr Nov?k wrote: > > > > > Is there a way for shorewall to be comatible with psad ? > > > > >From the above messages, it doesn''t seem likely. > > > > Investigate the FW_MSG_SEARCH parameter in psad -- looks like you need > to set that to "Shorewall:" or something similar. >Looks like you might also have to set LOGFORMAT="Shorewall:" in shorewall.conf. This of course will make Shorewall log messages rather useless since you won''t know which chain generated a given message. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net