| Stephen Gran on 12 Jan 2007 23:57:14 -0000 |
|
On Fri, Jan 12, 2007 at 03:33:55PM -0500, Matthew Rosewarne said: > I'm trying to get a bit more info out of the mass of logs that > IPTables generates. What I'd really like would be for the IP > addresses to be resolved to hostnames in the logs (I could put dnsmasq > in for performance) This would be a real performance hit, if you think about it. the default timeout for the gethostbyname() call is roughly 30 seconds - I doubt you want to wait that long for name resolution before deciding whether to allow a packet or not. Better to have a log parser that calls gethostbyname and getservbyport to return services associated with the port logged. > and ideally for the name of the program that made the packet or is > listening on a certain port to be looked up (netstat?) and added to > the log. I know that the kernel-space Netfilter can't filter based on > which users-space programs send or receive packets, but I'd at least > like to know why these packets are coming and going so I can adjust my > rules. You should probably add a unique identifier to each LOG target, so you know which rule got matched. iptables on recent kernels does have the ability to match on uid, so I imagine this could be used as a rough service map - I tend to run all services as seperate, non-privileged accounts when possible, and I do use the uid match feature for outgoing iptables rules. Hope that's helpful, -- -------------------------------------------------------------------------- | Stephen Gran | The moon is made of green cheese. -- | | steve@lobefin.net | John Heywood | | http://www.lobefin.net/~steve | | -------------------------------------------------------------------------- Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|