Re: Firewall packet logging question?

From: William Stearns (wstearns@pobox.com)
Date: Wed Feb 16 2000 - 09:10:48 EST

Next message: Matti Aarnio: "Re: DSL Modem?"
Previous message: Tigran Aivazian: "[patch-2.3.46-pre3] /dev/microcode (P6 ucode update char driver)"
In reply to: Mike A. Harris: "Firewall packet logging question?"
Next in thread: Peter Benie: "Re: Firewall packet logging question?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good morning, Mike,

On Wed, 16 Feb 2000, Mike A. Harris wrote:

> Does the current kernel (2.2.x) have any provisions for logging
> or capturing the ENTIRE IP packet which matches a particular
> ipchains rule?
> [snip]
> need to patch the kernel to implement this, or does the kernel
> include a mechanism (which I think it does) to do this allready?
>
> Instead of the packets getting logged by the kernel somewhere, it
> would be acceptable for them to be passed to a user level daemon
> for processing and logging if necessary.

You can pass it to userspace for further analysis. From man
ipchains:

-o, --output [maxsize]
Copy matching packets to the userspace device. This is currently mainly
for developers who want to play with firewalling effects in userspace.
The optional maxsize argument can be used to limit the maximum number of
bytes from the packet which are to be copied. This option is only valid
if the ker<AD> nel has been compiled with CONFIG_IP_FIREWALL_NETLINK set.

, and from a (possibly old) 2.2 kernel Configure.help:

CONFIG_IP_FIREWALL_NETLINK
  If you say Y here, you can use the ipchains tool to copy all or part
  of any packet you specify that hits your Linux firewall to optional
  user space monitoring software that can then look for attacks and
  take actions such as paging the administrator of the site.
  To use this, you need to create a character special file under /dev
  with major number 36 and minor number 3 using mknod ("man mknod"),
  and you need (to write) a program that reads from that device and
  takes appropriate action.

        The ipchains mailing list at
http://www.starshadow.com/mailman/listinfo/ipchains is probably a better
place is you have additional questions.
        Cheers,
        - Bill

---------------------------------------------------------------------------
Don't allow your kids to become desensitized to violence.
Beat them harder each day.
(Courtesy of Aaron Tiensivu <mojomofo@ctechnix.com>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Matti Aarnio: "Re: DSL Modem?"
Previous message: Tigran Aivazian: "[patch-2.3.46-pre3] /dev/microcode (P6 ucode update char driver)"
In reply to: Mike A. Harris: "Firewall packet logging question?"
Next in thread: Peter Benie: "Re: Firewall packet logging question?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Wed Feb 23 2000 - 21:00:15 EST