Hi,
do you know a method to capture the packages before they are discarded?
I do see a couple of "interesting" packages, that I would like to examine a bit further (e.g. with wireshark)
The usual way would be using ulogd, but according to gh#268 https:// github.com/firewalld/firewalld/issues/268, this is out of scope ATM.
When looking into the source, a general implementation seems pretty straight forward, with the most work being configuration/interfaces, but of course, this will raise questions of scatter logging into the ruleset everywhere <shrug>, proper testing, etc.
# LogTarget # Define alternate logging target, eg. ULOG, NFLOG # Default: LOG LogTarget=LOG
# LogPrefixOption # Log prefix option, eg. --nflog-prefix, --ulog-prefix # Default: "--log-prefix" LogPrefixOption="--log-prefix"
# LogTargetOptions # Options for alternate logging target, eg. --nflog-group 32 # Default: "" LogTargetOptions=
When making firewalld ulogd aware (ULOG, NFLOG), we could hardcode the LogPrefixOption, and simply call LogTargetOptions LogTargetGroup.
Opinions?
Cheers, Pete
On Wed, Mar 11, 2020 at 04:59:22PM +0100, Hans-Peter Jansen wrote:
Hi,
do you know a method to capture the packages before they are discarded?
No. The only thing like this is --set-log-denied, but that only does basic logging.
I do see a couple of "interesting" packages, that I would like to examine a bit further (e.g. with wireshark)
The usual way would be using ulogd, but according to gh#268 https:// github.com/firewalld/firewalld/issues/268, this is out of scope ATM.
When looking into the source, a general implementation seems pretty straight forward, with the most work being configuration/interfaces, but of course, this will raise questions of scatter logging into the ruleset everywhere <shrug>, proper testing, etc.
# LogTarget # Define alternate logging target, eg. ULOG, NFLOG # Default: LOG LogTarget=LOG
# LogPrefixOption # Log prefix option, eg. --nflog-prefix, --ulog-prefix # Default: "--log-prefix" LogPrefixOption="--log-prefix"
# LogTargetOptions # Options for alternate logging target, eg. --nflog-group 32 # Default: "" LogTargetOptions=
When making firewalld ulogd aware (ULOG, NFLOG), we could hardcode the LogPrefixOption, and simply call LogTargetOptions LogTargetGroup.
Opinions?
Ideally we'd add a new target for rich rules, e.g. NFLOG. Then you could use a low precedence catch-all rich rule which would execute right before the accept/drop for the zone. e.g.
firewall-cmd --add-rich-rule='rule priority=32767 ... nflog prefix=.. group=..'
Unfortunately the "nflog" action doesn't exist yet. Should be fairly easy to add. If you'd like to see it added, then please file an issue on github.
Eric.
Am Mittwoch, 11. März 2020, 19:29:02 CET schrieb Eric Garver:
On Wed, Mar 11, 2020 at 04:59:22PM +0100, Hans-Peter Jansen wrote:
Hi,
do you know a method to capture the packages before they are discarded?
No. The only thing like this is --set-log-denied, but that only does basic logging.
Well, that doesn't help with many cases. Some of them, I'm facing right now.
Ideally we'd add a new target for rich rules, e.g. NFLOG. Then you could use a low precedence catch-all rich rule which would execute right before the accept/drop for the zone. e.g.
firewall-cmd --add-rich-rule='rule priority=32767 ... nflog prefix=..
group=..'
Unfortunately the "nflog" action doesn't exist yet. Should be fairly easy to add. If you'd like to see it added, then please file an issue on github.
Here we go: https://github.com/firewalld/firewalld/issues/587
If I understand you correctly, given a high enough priority, other use cases like live monitoring and accounting could be realized this way as well.
Thanks, Pete
firewalld-users@lists.fedorahosted.org