Firewall activity log -
Bob Goodwin
bobgoodwin at wildblue.net
Fri Apr 23 21:21:19 UTC 2010
On 23/04/10 16:16, Dale Dellutri wrote:
>
>
> On Fri, Apr 23, 2010 at 1:10 PM, Bob Goodwin <bobgoodwin at wildblue.net
> <mailto:bobgoodwin at wildblue.net>> wrote:
>
>
> Through F-11 I ran Firestarter, it is not available for F-12
> apparently.
>
> The attractive thing with firestarter was the log it produced. When
> I had a problem with an application I could look at the log and see
> what the firewall was blocking. How can I do that with the firewall
> provided with F-12. I have an application that doesn't work
> properly
> with the firewall enabled but is good with it disabled. Obviously I
> would like to know why.
>
> Any help appreciated.
>
>
> You'd need to add log rules yourself. How and where to add them depends
> on your current firewall setup.
>
> If you can test your failing application during a time when the
> network is quiet,
> you can start by just looking at the counts to see where packets are
> being dropped.
>
> For example, on my F12 desktop, I did the following as root. The
> first command
> zeroes out the counters, the second was done a few seconds later:
>
> # iptables -Z
> # iptables --line-number -nvL
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> num pkts bytes target prot opt in out
> source destination
> 1 9 1192 ACCEPT all -- * * 0.0.0.0/0
> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> state
> RELATED,ESTABLISHED
> 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> 3 0 0 ACCEPT all -- lo * 0.0.0.0/0
> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0>
> 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> state NEW
> tcp dpt:22
> 5 1 97 REJECT all -- * * 0.0.0.0/0
> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with
> icmp-host-prohibited
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> num pkts bytes target prot opt in out
> source destination
> 1 0 0 REJECT all -- * * 0.0.0.0/0
> <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with
> icmp-host-prohibited
> Chain OUTPUT (policy ACCEPT 10 packets, 1868 bytes)
> num pkts bytes target prot opt in out
> source destination
>
> As you can see, in the few seconds between commands, 9 RELATED or
> ESTABLISHED packets came in (and were accepted by rule 1). 1 packet was
> rejected by rule 5.
>
> If I wanted to get details about the rejected packets, I'd add a log
> rule just before
> the reject rule (DO NOT JUST COPY THIS COMMAND! Your iptables rules
> are probably different.):
>
> iptables -I INPUT 5 -j LOG --log-prefix "ipables INPUT: "
>
> which would add a non-terminating LOG rule as rule 5 in the INPUT chain,
> just before the REJECT (which would become rule 6). Then you could
> scan /var/log/messages for "iptables" entries, each of which would
> tell you
> what type of packet was being rejected, including ip address, protocol
> and port.
> From that, you could craft an iptables rule to accept it. I'm
> assuming that you
> do all this from the target F12 system.
>
> As always, be careful! Learn as much about networking, iptables and the
> specific failing app as you can.
>
> Doesn't the failing app's documentation tell you what openings it needs in
> the firewall?
>
> --
> Dale Dellutri
First, thanks for the information I will play with that and save it
in my notes.
Yes I knew what ports it wanted, and I had opened them in the router
but it turns out iptables was blocking them. I used the "setup"
utility to open ports 5198-5200 and things immediately began to work.
But the scheme you describe for determining what is being blocked is
what I need. I will experiment with that.
Again thanks for the help.
Bob
--
More information about the users
mailing list