Firewall activity log -

Dale Dellutri daledellutri at gmail.com
Fri Apr 23 20:16:16 UTC 2010 

On Fri, Apr 23, 2010 at 1:10 PM, Bob Goodwin <bobgoodwin at wildblue.net>wrote:

>
>    Through F-11 I ran Firestarter, it is not available for F-12 apparently.
>
>    The attractive thing with firestarter was the log it produced. When
>    I had a problem with an application I could look at the log and see
>    what the firewall was blocking. How can I do that with the firewall
>    provided with F-12. I have an application that doesn't work properly
>    with the firewall enabled but is good with it disabled. Obviously I
>    would like to know why.
>
>    Any help appreciated.
>

You'd need to add log rules yourself.  How and where to add them depends
on your current firewall setup.

If you can test your failing application during a time when the network is
quiet,
you can start by just looking at the counts to see where packets are being
dropped.

For example, on my F12 desktop, I did the following as root.  The first
command
zeroes out the counters, the second was done a few seconds later:

# iptables -Z
# iptables --line-number -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
destination
1        9  1192 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
4        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           state NEW tcp dpt:22
5        1    97 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source
destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 10 packets, 1868 bytes)
num   pkts bytes target     prot opt in     out     source
destination

As you can see, in the few seconds between commands, 9 RELATED or
ESTABLISHED packets came in (and were accepted by rule 1).  1 packet was
rejected by rule 5.

If I wanted to get details about the rejected packets, I'd add a log rule
just before
the reject rule (DO NOT JUST COPY THIS COMMAND!  Your iptables rules
are probably different.):

  iptables -I INPUT 5 -j LOG --log-prefix "ipables INPUT: "

which would add a non-terminating LOG rule as rule 5 in the INPUT chain,
just before the REJECT (which would become rule 6).  Then you could
scan /var/log/messages for "iptables" entries, each of which would tell you
what type of packet was being rejected, including ip address, protocol and
port.
 From that, you could craft an iptables rule to accept it.  I'm assuming
that you
do all this from the target F12 system.

As always, be careful!  Learn as much about networking, iptables and the
specific failing app as you can.

Doesn't the failing app's documentation tell you what openings it needs in
the firewall?

-- 
Dale Dellutri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20100423/7e44371b/attachment-0001.html

More information about the users mailing list