BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


FreeBSD Basics

IPFW Logging

06/21/2001

I've spent the last few articles creating rules to allow ipfw to just allow the IP traffic I wish to enter my FreeBSD computer. This week, I'd like to take a look at logging and will probably end up tweaking my firewall further as I do so.

Like creating rulesets, logging is a bit of a fine art. What you decide to log will depend upon your degree of curiosity, how important the data is that you're trying to protect with your firewall, the amount of disk space you have available to hold the logged information, and a realistic assessment of how much information you're willing to wade through to see if anything happened that you didn't want to happen.

Even if you don't explicitly add the log keyword to any of the rules in your ipfw ruleset, there are still several places that your FreeBSD kernel will record events as they occur. Let's spend some time examining the type of information that is recorded and the locations where that information is stored. Before we do so, let's take a look at my current ruleset as I've changed it slightly. Because I like to log denied packets, I've added the log keyword to rule 00301 and have added rule 00700 to log all packets that were not explicitly allowed by any of my rules:

ipfw show

00100 135946  11920244 allow ip from any to any via lo0
00200      0         0 deny ip from any to 127.0.0.0/8
00300      0         0 deny ip from 127.0.0.0/8 to any
00300      0         0 check-state
00301    753    112227 deny log logamount 10 tcp from any to any in established
00302 233176 107186044 allow tcp from any to any keep-state out setup
00400  15823   2353615 allow udp from 24.226.1.90 53 to any in recv ed1
00401   2787    155141 allow udp from 24.226.1.20 53 to any in recv ed1
00402   2781    154266 allow udp from 24.2.9.34 53 to any in recv ed1
00403  21503   1222215 allow udp from any to any out
00501   1785    694722 allow udp from 24.226.1.41 67 to any 68 in recv ed1
00600    607     34028 allow icmp from any to any icmptype 3
00601      0         0 allow icmp from any to any icmptype 4
00602      4       336 allow icmp from any to any out icmptype 8
00603      4       336 allow icmp from any to any in icmptype 0
00604     63      3528 allow icmp from any to any in icmptype 11
00700    135      7452 deny log logamount 10 ip from any to any
65535      0         0 deny ip from any to any

If you are not already in the habit of doing so, you should read the root user's email on a daily basis as several important bits of information are recorded by the cron daemon. As you read these daily e-mail messages, you'll become familiar with what is normal behavior for your FreeBSD system. When you read the "daily run output" email, take note of the "disk status" section; here's mine from this morning's output:

Disk status:
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/ad0s1a     99183    37359    53890    41%    /
/dev/ad0s1f   7851141  1164528  6058522    16%    /usr
/dev/ad0s1e     19815     5762    12468    32%    /var
procfs              4        4        0   100%    /proc
mfs:68852      257999        9   237351     0%    /tmp

Pay attention to the capacity of /var as this is where logged information is stored. You should find that its capacity will grow at a fairly steady daily rate; for example, mine grows at about 4 percent per day. Knowing this, you'll have an idea of how often you should clean out your /var partition. You'll also be alerted if there is a significant increase in capacity used. For example, if I were to read my email tomorrow and the capacity on /var had jumped up to 85 percent, I'd immediately take a look at my logs to see why the kernel had logged so many events.

You'll also want to read the "security check output" that is sent by email to the root user. Here is a copy of my output from last week:

****************************************************
>From root@.HOSTNAME. Sat Jun 2 09:18:02 2001
Date: Sat, 2 Jun 2001 03:01:03 -0400 (EDT)
From: Charlie Root <root>
To: undisclosed-recipients:  ;
Subject: hostname security check output

Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

hostname denied packets:
> 00301    14     560 deny log logamount 10 tcp from any to any in established
> 00700    28    1580 deny log logamount 10 ip from any to any

ipfw log limit reached:
00301    14     560 deny log logamount 10 tcp from any to any in established
00700    28    1580 deny log logamount 10 ip from any to any

hostname kernel log messages:
> Connection attempt to TCP 127.0.0.1:113 from 127.0.0.1:3198
> Connection attempt to TCP 127.0.0.1:113 from 127.0.0.1:3198
> Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1307
> Connection attempt to TCP 127.0.0.1:113 from 127.0.0.1:3231
> Connection attempt to TCP 127.0.0.1:113 from 127.0.0.1:3231
> Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1340
<snip as it goes on for a while>

hostname login failures:

hostname refused connections:
hostname checking for denied secondary zone transfers:
****************************************************

Let's pick apart the sections that deal with logged events. Note that you won't get any entries under "hostname denied packets" or "ipfw log limit reached" unless you add the log keyword to a rule in your ruleset. It looks like my firewall denied 14 packets that tried to make a TCP connection to my FreeBSD box (rule 00301), and it also denied 28 packets that didn't meet any of the allow rules in my ruleset (rule 00700).

Pages: 1, 2

Next Pagearrow





Sponsored by: