Hi, I want to setup psad on my shorewall firewall, I have changed the value of FW_MSG_SEARCH as suggested in this previous post: http://lists.shorewall.net/pipermail/shorewall-users/2004-April/011815.html so I have setted FW_MSG_SEARCH Shorewall:net2all:DROP:; in /etc/psad/psad.conf but I have the following warn mail from psad ** The INPUT chain in the iptables ruleset on mymachine.mydomain includes a default LOG rule for all protocols, but the rule does not have a log prefix of "Shorewall:net2all:DROP:". It appears as though the log prefix is set to "Shorewall:INPUT:DROP:". psad will not be able to detect scans without adding --log-prefix "Shorewall:net2all:DROP:" to the rule. ** The INPUT chain in the iptables ruleset on mymachine.mydomain does not include default rules that will log and drop unwanted packets. You need to include two default rules; one that logs packets that have not been accepted by previous rules (this rule should have a logging prefix of "Shorewall:net2all:DROP:"), and a final rule that drops any unwanted packets. FOR EXAMPLE: Assuming you have already setup iptables rules to accept traffic you want to allow, you can probably execute the following two commands to have iptables log and drop unwanted packets in the INPUT chain by default. iptables -A INPUT -j LOG --log-prefix "Shorewall:net2all:DROP: " iptables -A INPUT -j DROP ** Psad will not detect in the iptables INPUT chain scans without an iptables ruleset that includes rules similar to the two rules above. .. NOTE: IPTables::Parse does not yet parse user defined chains and so it is possible your firewall config is compatible with psad anyway. I have tried to set FW_MSG_SEARCH Shorewall:INPUT:DROP:; but psad yet not detect scan how can I solve this problem? thanks in advance Nicola
Nicola Murino wrote:> > how can I solve this problem? >From my 27-second reading of the online psad man page: 1. You can set FW_SEARCH_ALL=Y is fw_search.conf 2. The description of FW_MSG_SEARCH seems to indicate that variable can be multi-valued but doesn''t give details. At any rate, hardly a Shorewall question.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Am Freitag, 16. Juli 2004 16:02 schrieb Nicola Murino:> Hi, > > I want to setup psad on my shorewall firewall, I have changed the value of > FW_MSG_SEARCH as suggested in this previous post: > > http://lists.shorewall.net/pipermail/shorewall-users/2004-April/011815.html > > so I have setted > > FW_MSG_SEARCH Shorewall:net2all:DROP:;change this to FW_MSG_SEARCH Shorewall:net2all:DROP: ; i.e add a blank before the ; than it will work ;)> > in /etc/psad/psad.conf > > but I have the following warn mail from psad > > ** The INPUT chain in the iptables ruleset on mymachine.mydomain includes > a default LOG rule for all protocols, but the rule does not have a log > prefix of "Shorewall:net2all:DROP:". It appears as though the log > prefix is set to "Shorewall:INPUT:DROP:". psad will not be able to > detect scans without adding --log-prefix "Shorewall:net2all:DROP:" to > the rule. > ** The INPUT chain in the iptables ruleset on mymachine.mydomain does not > include default rules that will log and drop unwanted packets. You need > to include two default rules; one that logs packets that have not been > accepted by previous rules (this rule should have a logging prefix of > "Shorewall:net2all:DROP:"), and a final rule that drops any unwanted > packets. > FOR EXAMPLE: Assuming you have already setup iptables rules to accept > traffic you want to allow, you can probably execute the following two > commands to have iptables log and drop unwanted packets in the INPUT > chain by default. > iptables -A INPUT -j LOG --log-prefix > "Shorewall:net2all:DROP: " > iptables -A INPUT -j DROP > ** Psad will not detect in the iptables INPUT chain scans without an > iptables ruleset that includes rules similar to the two rules above. > > .. NOTE: IPTables::Parse does not yet parse user defined chains and so it > is possible your firewall config is compatible with psad anyway. > > I have tried to set > > FW_MSG_SEARCH Shorewall:INPUT:DROP:; > > but psad yet not detect scan > > how can I solve this problem? > > thanks in advance > Nicola > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Excuse me if the question is not much pertinet with shorewall, the feature you said of psad maybe is of the newest version (1.3.2), I have the 1.3.1 (gentoo default), I want only known what is the --log-prefix that shorewall use for the iptables configuration thanks Nicola At 07.54 16/07/2004 -0700, you wrote:>Nicola Murino wrote: > >>how can I solve this problem? > > From my 27-second reading of the online psad man page: > > 1. You can set FW_SEARCH_ALL=Y is fw_search.conf > 2. The description of FW_MSG_SEARCH seems to indicate that > variable can be multi-valued but doesn''t give details. At any rate, > hardly a Shorewall question.... > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm
Am Freitag, 16. Juli 2004 17:29 schrieb Nicola Murino:> Excuse me if the question is not much pertinet with shorewall, the feature > you said of psad maybe is of the newest version (1.3.2), I have the 1.3.1 > (gentoo default), I want only known what is the --log-prefix that shorewall > use for the iptables configurationI''m using 1.3.1 and shorewall 2.0.5 on my SuSE 8.2 together without Problems.> > thanks > NicolaToni> > At 07.54 16/07/2004 -0700, you wrote: > >Nicola Murino wrote: > >>how can I solve this problem? > > > > From my 27-second reading of the online psad man page: > > > > 1. You can set FW_SEARCH_ALL=Y is fw_search.conf > > 2. The description of FW_MSG_SEARCH seems to indicate that > > variable can be multi-valued but doesn''t give details. At any rate, > > hardly a Shorewall question.... > > > >-Tom > >-- > >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > >Shoreline, \ http://shorewall.net > >Washington USA \ teastep@shorewall.net > > > >_______________________________________________ > >Shorewall-users mailing list > >Post: Shorewall-users@lists.shorewall.net > >Subscribe/Unsubscribe: > >https://lists.shorewall.net/mailman/listinfo/shorewall-users > >Support: http://www.shorewall.net/support.htm > >FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
At 17.27 16/07/2004 +0200, you wrote:>Am Freitag, 16. Juli 2004 16:02 schrieb Nicola Murino: > > Hi, > > > > I want to setup psad on my shorewall firewall, I have changed the value of > > FW_MSG_SEARCH as suggested in this previous post: > > > > http://lists.shorewall.net/pipermail/shorewall-users/2004-April/011815.html > > > > so I have setted > > > > FW_MSG_SEARCH Shorewall:net2all:DROP:; > >>change this to FW_MSG_SEARCH Shorewall:net2all:DROP: ; > > >>i.e add a blank before the ; > >>than it will work ;)Thanks, I have added the blank but when I start psad I receive the same warning mail :-( and if I use nmap psad doesn''t advertise me Nicola> > > > in /etc/psad/psad.conf > > > > but I have the following warn mail from psad > > > > ** The INPUT chain in the iptables ruleset on mymachine.mydomain includes > > a default LOG rule for all protocols, but the rule does not have a log > > prefix of "Shorewall:net2all:DROP:". It appears as though the log > > prefix is set to "Shorewall:INPUT:DROP:". psad will not be able to > > detect scans without adding --log-prefix "Shorewall:net2all:DROP:" to > > the rule. > > ** The INPUT chain in the iptables ruleset on mymachine.mydomain does not > > include default rules that will log and drop unwanted packets. You need > > to include two default rules; one that logs packets that have not been > > accepted by previous rules (this rule should have a logging prefix of > > "Shorewall:net2all:DROP:"), and a final rule that drops any unwanted > > packets. > > FOR EXAMPLE: Assuming you have already setup iptables rules to accept > > traffic you want to allow, you can probably execute the following two > > commands to have iptables log and drop unwanted packets in the INPUT > > chain by default. > > iptables -A INPUT -j LOG --log-prefix > > "Shorewall:net2all:DROP: " > > iptables -A INPUT -j DROP > > ** Psad will not detect in the iptables INPUT chain scans without an > > iptables ruleset that includes rules similar to the two rules above. > > > > .. NOTE: IPTables::Parse does not yet parse user defined chains and so it > > is possible your firewall config is compatible with psad anyway. > > > > I have tried to set > > > > FW_MSG_SEARCH Shorewall:INPUT:DROP:; > > > > but psad yet not detect scan > > > > how can I solve this problem? > > > > thanks in advance > > Nicola > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > > http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm
Nicola Murino wrote:> Excuse me if the question is not much pertinet with shorewall, the > feature you said of psad maybe is of the newest version (1.3.2), I have > the 1.3.1 (gentoo default), I want only known what is the --log-prefix > that shorewall use for the iptables configuration > > thanks > Nicola > > At 07.54 16/07/2004 -0700, you wrote: > >> Nicola Murino wrote: >> >>> how can I solve this problem? >> >> >> From my 27-second reading of the online psad man page: >> >> 1. You can set FW_SEARCH_ALL=Y is fw_search.conf >> 2. The description of FW_MSG_SEARCH seems to indicate that >> variable can be multi-valued but doesn''t give details. At any rate, >> hardly a Shorewall question.... >>Please don''t top post. The --log-prefix generated by Shorewall is determined by the LOGFORMAT setting in shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Ok now it works, I have done this change to my syslog-ng configuration:
destination psadpipe { pipe("/var/lib/psad/psadfifo"); };
filter f_kerninfo { facility(kern) and level(info); };
#log { source(src); filter(f_kerninfo); destination(psadpipe); };
log { source(kernsrc); filter(f_kerninfo); destination(psadpipe); };
I have changed in /etc/shorewall/shorewall.conf
LOGFORMAT=""
and in /etc/psad/psad.conf and /etc/psad/kmsgsd.conf I used the default value:
FW_MSG_SEARCH DROP;
thanks and excuse me if this matter isn''t very close to shorewall
good week end
Nicola
Am Freitag, 16. Juli 2004 19:36 schrieb Nicola Murino:> Ok now it works, I have done this change to my syslog-ng configuration: > > destination psadpipe { pipe("/var/lib/psad/psadfifo"); }; > filter f_kerninfo { facility(kern) and level(info); }; > #log { source(src); filter(f_kerninfo); destination(psadpipe); }; > log { source(kernsrc); filter(f_kerninfo); destination(psadpipe); }; > > > I have changed in /etc/shorewall/shorewall.conf > > LOGFORMAT=""this makes error-searching in shorewall completely impossible !> > and in /etc/psad/psad.conf and /etc/psad/kmsgsd.conf I used the default > value: > > FW_MSG_SEARCH DROP; > > thanks and excuse me if this matter isn''t very close to shorewall > > good week end > Nicola > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Am Freitag, 16. Juli 2004 18:18 schrieb Nicola Murino:> > > .. NOTE: IPTables::Parse does not yet parse user defined chains and so > > > it is possible your firewall config is compatible with psad anyway.shorewall chains are user defined-chains ;) so you can ignore this warning mail toni