'Re: ipchains log'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipchains-list
Subject:    Re: ipchains log
From:       John Sage <jsage () finchhaven ! com>
Date:       2001-02-16 19:56:24
[Download RAW message or body]

Medi:

logging in ipchains is enabled by adding the -l logging switch to any
specific ipchains rule, for example:

# INPUT: DENY icmp type 8
ipchains -A input -i $extint -p icmp -s any/0 --icmp-type echo-request
-l -j DENY
# Rule 34

is the rule that results in:

> > Feb 13 17:41:19 sparky kernel: Packet log: input DENY ppp0 PROTO=1
> > 209.155.224.130:8 12.82.134.181:0 L=84 S=0x00 I=12573 F=0x0000 T=51
> > (#34)

It's the " -l " right after "echo-request" and before " -j " that's
doing it.

*Where* ipchains logs to is another matter.

You almost certainly have a /var/log/messages, so ipchains is probably
logging there without being told to do otherwise.

In my /etc/syslog.conf, I have the entry:

kern.*		/var/log/kernel

which is what makes ipchains log to *that* specific file..

HTH..

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage@finchhaven.com
And remember: it's spelled l-i-n-u-x, but it's pronounced "Linux"

Medi Montaseri wrote:
> 
> How can I enable log on ipchains...I don't have /var/log/kernel on my
> Linux box.
> 
> John Sage wrote:
> 
> > Here's some snippets from /var/log/kernel from 02/13/01:
> >
> > Pings (icmp; proto=1 "source port"=8 "dest port"=0 or icmp type 8
> > code
> > 0), echo
> > requests DENY'ed by rule #34
> >
> > Feb 13 17:41:19 sparky kernel: Packet log: input DENY ppp0 PROTO=1
> > 209.155.224.130:8 12.82.134.181:0 L=84 S=0x00 I=12573 F=0x0000 T=51
> > (#34)

<snip>

> > Jigar Ranchordas wrote:
> > >
> > > Hello there,
> > >
> > > Can anyone supply me a copy of their ipchains log file.  I just
> > need an
> > > example of it to study.
> > >
> > > I am doing a project on linux firewall at Uni and I need to
> > understand the
> > > way ipchains logs data for the admin to read
> > >
> > > Thanks in advance
> > >
> > > -----------------------------------------------
> > > FREE! The World's Best Email Address @email.com
> > > Reserve your name now at http://www.email.com
> 
> --
> =======================================================================
> Medi Montaseri, medi@prepass.com, 408-450-7114
> Prepass Inc, IT/Operations, Software Eng.
> =======================================================================

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic