Again firewall question

[Thomas Wilhelmi]

Hi,

again I have a question about the Firewall-module. How can I enable logging for some rules?

 

[Nikolay.]

I don't think it is currently possible via the module.

 

[Thomas Wilhelmi]

Hm, that means I have to create the entries for logging myself and add it in the created script myself after activating it and execute it again?

 

[Nikolay.]

Yes, I suppose you could do that. Make a backup of your changes though.

May I ask what's the use case? Why do you need logging? To debug a new rule?

 

[Thomas Wilhelmi]

Thx. Of course I would backup my changes

And of yourse you may ask. That's the meaning of a Forum. I have 2 main ideas here. First of all you're right I would like to see if a (new) rule is being hit and the second is to probably analyse attack-patterns.

 

[Nikolay.]

and the second is to probably analyse attack-patterns.

That thought also crossed my mind. You mean detecting stuff like port probing? Because in case of various types of DoS relying on heavy traffic having tons of log records to write may be quite harmful.

 

[Thomas Wilhelmi]

That's definitely a good Point. I think I have to make some experience to get a feeling what is a good compromise.

 

[atomicturtle]

There are certainly options that would let you limit the rate of logging in a LOG rule. For example in ASL we have blacklist rulesets with LOG rules at the bottom that fire at 10 in 1 minute, and a limit burst of 2. A limit for a TOR blacklist looks like this:

-A ASL-TOR-DROP-LOG -m limit --limit 10/minute --limit-burst 2 -j LOG --log-level info --log-prefix "ASL_TOR_BLOCK " --log-tcp-sequence --log-tcp-options --log-ip-options

This way you will log the event with its own syslog prefix, and limit the total number of log messages to no more than 2 events in 1 minute.

 

[Thomas Wilhelmi]

Thanks for this hint