Re: Fw: Re[2]: FW: Linux server as it own firewall

From: Jeff Schaller (schaller@freeshell.org)
Date: 09/17/01


Date: Mon, 17 Sep 2001 12:41:08 +0000 (UTC)
From: Jeff Schaller <schaller@freeshell.org>
To: Michael Peddemors <michael@linuxmagic.com>
Subject: Re: Fw: Re[2]: FW: Linux server as it own firewall
Message-ID: <Pine.NEB.4.33.0109171231430.12630-100000@sdf.lonestar.org>

On 16 Sep 2001, Michael Peddemors wrote:

> > 4. no logging.
>
> HUH??? OF course you HAVE to have logging. Only problem is
> that your logfiles are limited in size, because they are all
> in RAM.

This is what I've struggled with.

Logging is of course required for IDS's.
Logging takes space (either locally or remote).
Logging can be DoS'd (fill the pipe with packets that get logged).
Logging assumes that you'll do something with it.
The firewall will be default-deny, so logging denied packets
doesn't add anything to the defense.
I'm not going to chase down (upstream) people who are either
actively scanning/attacking or who appear to be compromised.

So I guess I'm looking for reasons to convince me that I should
log stuff.

I'm prepared to log most everything initially, just to
double-check that my rules are doing what I expect. After that,
I'll trim the logging down to just what's "interesting", for
some stringent definition of "interesting".

Systems Administrator <sysadmin@sunet.com.au> writes:
> What about to a logging host?

This is a possibility, but would mean:
1. modifying an existing box or setting up a syslog box
2. opening the syslog port
3. configuring syslog to accept remote logs
4. setting up rules on the syslog box to only allow traffic from
the firewall
5. poking rules in the firewall to allow syslog out
6. watching the syslog box (set up swatch or similar program)
7. reading the output from the log monitor program
8. doing something with the output other than deleting it

Granted, many of the steps are simple, but do I really like the
conclusion?

I suppose it feels a bit like I'm shirking my internet
responsibilities by not logging traffic that hits my firewall, but
I'll justify it by saying that this firewall is just defending my
home PC. Corporations or others with a larger 'net presence have
more data to correlate and more resources to protect.

-jeff

--
Ineptitude: If you can't learn to do something well, learn to enjoy
doing it poorly.
http://www.despair.com



Relevant Pages

  • Re: Logging and Auditing of a HP-UX box
    ... Would members of this group kindly tell me the auditing and logging ... You can expect the syslog system to be always enabled, ... All syslog messages consist of a level identifier, ... commands to control the audit log system from the command ...
    (comp.security.unix)
  • RE: [fw-wiz] pix 501 logging question
    ... it's a deny, right?), which would lead to more syslog data from persistent ... log level for access-list logging is 6, but if you can see one you should ... You don't need to force the PIX to log these denials, ... access-list inbound permitted tcp outside/205.206.xxx.xxx-> ...
    (Firewall-Wizards)
  • Re: Logging and Auditing of a HP-UX box
    ... Would members of this group kindly tell me the auditing and logging ... You can expect the syslog system to be always enabled, ... All syslog messages consist of a level identifier, ... commands to control the audit log system from the command ...
    (comp.security.unix)
  • Re: Conditional based on whether or not a module is being used
    ... the syslog module but also allows forloggingto STDOUT in debug mode ... be able to use the logging package which comes with Python: ... logger module, but too much of a newbie to use a module which is part ... Allow for multiple levels of logging beyond INFO, WARNING, CRIT ... ...
    (comp.lang.python)
  • Re: Logging and Auditing of a HP-UX box
    ... Would members of this group kindly tell me the auditing and logging ... You can expect the syslog system to be always enabled, ... All syslog messages consist of a level identifier, ... commands to control the audit log system from the command ...
    (comp.security.unix)