RE: Chain Policy DROP versus ACCEPT and logging

RE: Chain Policy DROP versus ACCEPT and logging

[bmcdowell]

I may be a little late chiming in on this, but personally my rules use a 'BAD' chain.  That chain ends with the LOG and DROP just like a normal appended chain.  The difference is, I can explicitly deny things by sending them to -j BAD.

I do the same with -j GOOD, and then run sanity checks against the packet  -sending some stuff to BAD before it actually hits the ACCEPT.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Cedric Blancher
Sent: Sunday, October 12, 2003 10:12 AM
To: tedkaz@optonline.net
Cc: netfilter@lists.netfilter.org
Subject: Re: Chain Policy DROP versus ACCEPT and logging


Le dim 12/10/2003 à 16:00, Ted Kaczmarek a écrit :
> Is their a way to log the default INPUT and FORWARD policies for dropped
> packets with them set to DROP as opposed to having them set to ACCEPT
> and putting in logs for any deny rules.

Logging in Netfilter does not behave as it used to with ipchains. You
cannot log and drop within the same rule. Suppose you want to log and
drop all UDP traffic :

	iptables -A INPUT -p udp -j LOG --log-prefix "UDP dropped : "
	iptables -A INPUT -p udp -j DROP

LOG is a target (non terminating one).

This said, if you want to log packets that hit chain policy, then you
have to put a logging rule at the very end of the chain :

	iptables -A INPUT -j LOG "INPUT chain policy drop : "

And you're done.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

RE: Chain Policy DROP versus ACCEPT and logging

[Ted Kaczmarek]

And that applies to when default input and forward policies are drop?
Having a hard time grasping that in my brain, but I do believe I may be
overheating a few neurons :-)

Ted

On Mon, 2003-10-13 at 11:54, bmcdowell@coxhealthplans.com wrote:
> I may be a little late chiming in on this, but personally my rules use a 'BAD' chain.  That chain ends with the LOG and DROP just like a normal appended chain.  The difference is, I can explicitly deny things by sending them to -j BAD.
> 
> I do the same with -j GOOD, and then run sanity checks against the packet  -sending some stuff to BAD before it actually hits the ACCEPT.
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Cedric Blancher
> Sent: Sunday, October 12, 2003 10:12 AM
> To: tedkaz@optonline.net
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Chain Policy DROP versus ACCEPT and logging
> 
> 
> Le dim 12/10/2003 à 16:00, Ted Kaczmarek a écrit :
> > Is their a way to log the default INPUT and FORWARD policies for dropped
> > packets with them set to DROP as opposed to having them set to ACCEPT
> > and putting in logs for any deny rules.
> 
> Logging in Netfilter does not behave as it used to with ipchains. You
> cannot log and drop within the same rule. Suppose you want to log and
> drop all UDP traffic :
> 
> 	iptables -A INPUT -p udp -j LOG --log-prefix "UDP dropped : "
> 	iptables -A INPUT -p udp -j DROP
> 
> LOG is a target (non terminating one).
> 
> This said, if you want to log packets that hit chain policy, then you
> have to put a logging rule at the very end of the chain :
> 
> 	iptables -A INPUT -j LOG "INPUT chain policy drop : "
> 
> And you're done.

Re: Chain Policy DROP versus ACCEPT and logging

[Jeffrey Laramie]

[-- Attachment #1: Type: text/html, Size: 994 bytes --]

Re: Chain Policy DROP versus ACCEPT and logging

[Cedric Blancher]

Le dim 12/10/2003 à 16:00, Ted Kaczmarek a écrit :
> Is their a way to log the default INPUT and FORWARD policies for dropped
> packets with them set to DROP as opposed to having them set to ACCEPT
> and putting in logs for any deny rules.

Logging in Netfilter does not behave as it used to with ipchains. You
cannot log and drop within the same rule. Suppose you want to log and
drop all UDP traffic :

	iptables -A INPUT -p udp -j LOG --log-prefix "UDP dropped : "
	iptables -A INPUT -p udp -j DROP

LOG is a target (non terminating one).

This said, if you want to log packets that hit chain policy, then you
have to put a logging rule at the very end of the chain :

	iptables -A INPUT -j LOG "INPUT chain policy drop : "

And you're done.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: Chain Policy DROP versus ACCEPT and logging

[Joel Newkirk]

On Sun, 2003-10-12 at 10:00, Ted Kaczmarek wrote:
> I have seen many setups where the default CHAIN Policy is to accept
> packets by default versus dropping them. 
> >From my perspective a firewall should implicitly deny everything, hence 
> INPUT and FORWARD should be DROP. 
> Then rules are put in to allow what you want. 
> But, one seems to lose some logging capabilities with such a setup.
> Is their a way to log the default INPUT and FORWARD policies for dropped
> packets with them set to DROP as opposed to having them set to ACCEPT
> and putting in logs for any deny rules.

Yep, just make a log rule last in the chain...

iptables -A FORWARD -j LOG --log-level 7 --log-prefix "FWDDROP:"

for instance.  Just remember that any rules added after this cannot
simply be "-A", or they'll be appended after the log rule.  They'll
still work properly but the packets they accept would be logged as
having been dropped.

j

Chain Policy DROP versus ACCEPT and logging

[Ted Kaczmarek]

I have seen many setups where the default CHAIN Policy is to accept
packets by default versus dropping them. 
From my perspective a firewall should implicitly deny everything, hence 
INPUT and FORWARD should be DROP. 
Then rules are put in to allow what you want. 
But, one seems to lose some logging capabilities with such a setup.
Is their a way to log the default INPUT and FORWARD policies for dropped
packets with them set to DROP as opposed to having them set to ACCEPT
and putting in logs for any deny rules.

Thanks,
Ted