[Firewall] AIF logging

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Wed Feb 29 14:36:27 CET 2012



On 02/27/2012 06:57 PM, Norbert Gerhards wrote:
> Hi,
>
> I successfully installed AIF 2.0.1 on a debian squeeze server system.
>
> I found the rsyslog.conf for debian in the contrib branch and copied
> it into /etc
>
> I edited firewall.conf, commenting out the logging to /var/log/firewall.log
>
> I touched a firewall.log in /var/log
>
> I restartet AIF and rsyslog respectively.
>
> But: still everything from AIF is logged inside /var/log/syslog
> Only the stop 'n start messages are inside /var/log/firewall.log
>
> What have I missed or done wrong?

You probably forgot to set the LOGLEVEL to debug in firewall.conf

>
> My goal was to have all usual system messages in syslog, and _all_
> AIF messages in firewall.log.
>
>
> My second question with logging is:
> The whole log file is full of messages regarding PRIV TCP Packets
> trying to get connection on destination port 445.
> I guess they are mis-configured (Windows?) servers, searching for
> netbios connects on there _external_ (!) interface?
>
Probably but it could also be caused by evil(tm) people trying to find 
"open" Windows shares

> Is there any way I could filter these attempts out?

Yes, use DENY_TCP_NOLOG & DENY_UDP_NOLOG

>
> Thanks in advance for any help,
>
> Norbert
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>

a.


More information about the Firewall mailing list