Re: [PLUG] iptables logging

Matthew Rosewarne on 13 Jan 2007 00:59:23 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables logging

From: Matthew Rosewarne <mukidohime@case.edu>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] iptables logging

Date: Fri, 12 Jan 2007 19:57:25 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: KMail/1.9.5

On Friday 12 January 2007 18:57, Stephen Gran wrote: > This would be a real performance hit, if you think about it. the > default timeout for the gethostbyname() call is roughly 30 seconds - I > doubt you want to wait that long for name resolution before deciding > whether to allow a packet or not. Better to have a log parser that > calls gethostbyname and getservbyport to return services associated with > the port logged. Well, I'm not trying to use hostnames for the ACCEPT or DROP rules, I just want them to show up in the log, which quite so time-critical. A log parser approach might work for that, but I don't know of one that does such things. Perhaps I'd have to write a plugin for ulogd myself (oh joy). > You should probably add a unique identifier to each LOG target, so you > know which rule got matched. iptables on recent kernels does have the > ability to match on uid, so I imagine this could be used as a rough > service map - I tend to run all services as seperate, non-privileged > accounts when possible, and I do use the uid match feature for outgoing > iptables rules. This is really more for a desktop/workstation setup, as opposed to a server of some sort. As such, I have a number of apps that might send all kinds of traffic in and out of various ports and almost all of them run as the login user, so just knowing the port numbers and SRC/DEST isn't all that helpful. My worst offenders are bittorrent (my UID), tor (its own UID), and loading pages from broken webservers that give funky TCP flags or frag packets (my UID). When any of these is happening, all of the other suspicious packets get lost in a gigantic log. Since all of these apps have to open inet sockets, I was sort of hoping someone knew of a way to have a netstat-esque lookup happen at logging-time so the app name gets recorded. The UID rule looks useful though for some of the more traditional daemon-like things though.
Attachment: pgpgnRAfzhPUW.pgp
Description: PGP signature

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] iptables logging
From: Matthew Rosewarne <mukidohime@case.edu>

Re: [PLUG] iptables logging
From: Stephen Gran <steve@lobefin.net>

Prev by Date: Re: [PLUG] OT: OS X FTP

Next by Date: Re: [PLUG] OT: OS X FTP

Previous by thread: Re: [PLUG] iptables logging

Next by thread: [PLUG] Web interface to issue/manage certifactes for Windows?

Index(es):

Date

Thread