I made this HOWTO becouse I was tired of seeing dmesg and
/var/log/messages full of iptables logs. I install firestarter for some
friends who do not know about computers but they still want to use
linux, and when I try to fix something always logs are full of
'rubbish'.
It is really easy to send firestarter logs to a file with ulog.
Ulog:
Just install ulog in your system (in this case , gentoo "emerge ulogd")
Configure it, you can send logs to many places, mysql, to a file, sqlite or to a pcap file.
I will send logs to /var/log/ulogd.syslogemu file:
/etc/ulogd.conf (configuration file from gentoo for ulogd ):
---------------------------------
# Example configuration for ulogd
# $Id: ulogd.conf.in 714 2005-02-19 21:33:43Z laforge $
#
[global]
######################################################################
# GLOBAL OPTIONS
######################################################################
# netlink multicast group (the same as the iptables --ulog-nlgroup param)
nlgroup=1
# logfile for status messages
logfile="/var/log/ulogd.log"
# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8)
loglevel=5
# socket receive buffer size (should be at least the size of the
# in-kernel buffer (ipt_ULOG.o 'nlbufsiz' parameter)
rmem=131071
# libipulog/ulogd receive buffer size, should be > rmem
bufsize=150000
######################################################################
# PLUGIN OPTIONS
######################################################################
# We have to configure and load all the plugins we want to use
# general rules:
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below
#
# ulogd_BASE.so - interpreter plugin for basic IPv4 header fields
# you will always need this
plugin="/usr/lib/ulogd/ulogd_BASE.so"
# output plugins.
plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"
#plugin="/usr/lib/ulogd/ulogd_OPRINT.so"
#plugin="/usr/lib/ulogd/ulogd_MYSQL.so"
#plugin="/usr/lib/ulogd/ulogd_PGSQL.so"
#plugin="/usr/lib/ulogd/ulogd_SQLITE3.so"
#plugin="/usr/lib/ulogd/ulogd_PCAP.so"
[LOGEMU]
file="/var/log/ulogd.syslogemu"
sync=1
[OPRINT]
file="/var/log/ulogd.pktlog"
[MYSQL]
table="ulog"
pass="changeme"
user="laforge"
db="ulogd"
host="localhost"
[PGSQL]
table="ulog"
schema="public"
pass="changeme"
user="postgres"
db="ulogd"
host="localhost"
[SQLITE3]
table="ulog"
db="/path/to/sqlite/db"
buffer=200
[PCAP]
file="/var/log/ulogd.pcap"
sync=1
*********************************
Start ulogd
/etc/init.d/ulogd start.
******************************
Firestarter:
Install firestarter in your system, configure it and if you want you can run it.
Then look for firestarter configuration, normally is in /etc/firestarter/
In my case is in /usr/local/etc/firestarter, because it is not anymore
in portage and I'm not going to install shorewal lo fwbuilder to people
who does not know what iptable means.
Edit the file 'firewall' file as root of course, and you'll probably
will have to change permissions because in my system is a read only
file.
cd /usr/local/etc/firestarter
chmod u+xw firewall
vi firewall (or nano -w firewall)
then change this part:
if [ "$log_supported" ]; then
# Syn-flood protection
$IPT -A LSI -p tcp --syn -m
limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p tcp --syn -j $STOP_TARGET
# Rapid portscan protection
$IPT -A LSI -p tcp
--tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j LOG
--log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j $STOP_TARGET
# Ping of death protection
$IPT -A LSI -p icmp
--icmp-type echo-request -m limit --limit 1/s -j LOG
--log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p icmp --icmp-type echo-request -j $STOP_TARGET
# Log everything
$IPT -A LSI -m limit --limit
5/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
fi
$IPT -A LSI -j $STOP_TARGET # Terminate evaluation
# Create a new log and stop output (LSO) chain.
$IPT -N LSO 2> /dev/null
$IPT -F LSO
$IPT -A LSO -j LOG_FILTER
if [ "$log_supported" ]; then
# Log everything
$IPT -A LSO -m limit --limit
5/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Outbound "
fi
$IPT -A LSO -j REJECT # Terminate evaluation
# --------( Initial Setup - Nameservers )--------
For this:
if [ "$log_supported" ]; then
# Syn-flood protection
$IPT -A LSI -p tcp --syn -m limit --limit 1/s -j ULOG --ulog-prefix "Inbound "
$IPT -A LSI -p tcp --syn -j $STOP_TARGET
# Rapid portscan protection
$IPT -A LSI -p tcp
--tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ULOG
--ulog-prefix "Inbound "
$IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j $STOP_TARGET
# Ping of death protection
$IPT -A LSI -p icmp
--icmp-type echo-request -m limit --limit 1/s -j ULOG
--ulog-prefix "Inbound "
$IPT -A LSI -p icmp --icmp-type echo-request -j $STOP_TARGET
# Log everything
$IPT -A LSI -m limit --limit 5/s -j ULOG --ulog-prefix "Inbound "
fi
$IPT -A LSI -j $STOP_TARGET # Terminate evaluation
# Create a new log and stop output (LSO) chain.
$IPT -N LSO 2> /dev/null
$IPT -F LSO
$IPT -A LSO -j LOG_FILTER
if [ "$log_supported" ]; then
# Log everything
$IPT -A LSO -m limit --limit 5/s -j ULOG --ulog-prefix "Outbound "
fi
$IPT -A LSO -j REJECT # Terminate evaluation
# --------( Initial Setup - Nameservers )--------
And change this part at the end of the file:
# --------( Unsupported Traffic Catch-All )--------
$IPT -A INPUT -j LOG_FILTER
$IPT -A INPUT -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Input"
$IPT -A OUTPUT -j LOG_FILTER
$IPT -A OUTPUT -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Output"
$IPT -A FORWARD -j LOG_FILTER
$IPT -A FORWARD -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Forward"
return 0
For this:
# --------( Unsupported Traffic Catch-All )--------
$IPT -A INPUT -j LOG_FILTER
$IPT -A INPUT -j ULOG --ulog-prefix "Unknown Input"
$IPT -A OUTPUT -j LOG_FILTER
$IPT -A OUTPUT -j ULOG --ulog-prefix "Unknown Output"
$IPT -A FORWARD -j LOG_FILTER
$IPT -A FORWARD -j ULOG --ulog-prefix "Unknown Forward"
return 0
**************************
As you can see is just to change
-j LOG --log-level=$LOG_LEVEL --log-prefix
for
-j ULOG --ulog-prefix
Do not forget to start ulogd an then restart firestarter, from that moment logs will go to /var/log/ulogd.syslogemu
And to change back permissions of firewall file
chmod u-xw firewall