[Firewall] AIF logging

Norbert Gerhards n.gerhards at ib-gerhards.de
Wed Feb 29 20:14:41 CET 2012


Hello Arno,

thanks for your answers! Yes, it works. :-)


Am 29.02.2012 14:36, schrieb Arno van Amersfoort:
>
>
> On 02/27/2012 06:57 PM, Norbert Gerhards wrote:
>> Hi,
>>
>> I successfully installed AIF 2.0.1 on a debian squeeze server system.
>>
>> I found the rsyslog.conf for debian in the contrib branch and copied
>> it into /etc
>>
>> I edited firewall.conf, commenting out the logging to
>> /var/log/firewall.log
>>
>> I touched a firewall.log in /var/log
>>
>> I restartet AIF and rsyslog respectively.
>>
>> But: still everything from AIF is logged inside /var/log/syslog
>> Only the stop 'n start messages are inside /var/log/firewall.log
>>
>> What have I missed or done wrong?
>
> You probably forgot to set the LOGLEVEL to debug in firewall.conf
>

You are right: I forgot that; corrected it, and it works.


>>
>> My goal was to have all usual system messages in syslog, and _all_
>> AIF messages in firewall.log.
>>
>>
>> My second question with logging is:
>> The whole log file is full of messages regarding PRIV TCP Packets
>> trying to get connection on destination port 445.
>> I guess they are mis-configured (Windows?) servers, searching for
>> netbios connects on there _external_ (!) interface?
>>
> Probably but it could also be caused by evil(tm) people trying to find
> "open" Windows shares
>
>> Is there any way I could filter these attempts out?
>
> Yes, use DENY_TCP_NOLOG & DENY_UDP_NOLOG
>

I've set both on 445, and yes, it works perfect.


Greetings from Aachen (Germany)

Norbert


More information about the Firewall mailing list