Bug 1028144
Summary: | No easy way to log dropped packets | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dominique Brazziel <sixerjman> |
Component: | firewalld | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | asrv01, bloch, bmourelo, duarte.rocha, jpopelka, pcfe, peter.verthez, sam, sauchter, twoerner |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | firewalld-0.4.0-2.fc23 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-02-21 16:31:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dominique Brazziel
2013-11-07 18:38:23 UTC
This would also be needed to interwork with psad: it should be possible to add a -j LOG at the end of the INPUT chain, before the reject rule. Currently this is only possible by hacking the python scripts. Thanks for the direction tip (put it just before REJECT). It wasn't easy, (I took the long way around) but using some rules from the old 'firestarter' package on Debian I managed to wire up a new chain (IN_home_LSI - LSI for 'Log and Stop Input' - 'home' is my default zone) just before the REJECT target. Here was the sequence of commands (after testing without the '--permanent' flag): firewall-cmd --direct --permanent --add-chain ipv4 filter IN_home_LSI firewall-cmd --direct --permanent --add-rule ipv4 filter IN_home_LSI 0 -j LOG firewall-cmd --direct --permanent --passthrough ipv4 -I INPUT 7 -j IN_home_LSI Here is the resulting INPUT chain: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere IN_home_LSI all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited It looks like it is logging packets that didn't get accepted using the rules set up in my IN_home_allow zone. Cleared out dmesg, then attempted to FTP (which is not allowed), and saw: IN=wlan0 <* yada yada yada MAC SRC DST yada yada yada *> DPT=21 WINDOW=29200 RES=0x00 SYN URGP=0 Looks good. This also enables me to see that my router is hammering all the machines on my LAN with silly UDP packets for something called USBShare. I wouldn't have seen that without this facility and if I hadn't run TCPDUMP out of curosity a couple of days ago. Logging dropped packets shows a lot about unnecessary / bad traffic. I need to accept a given port or service for whitelisted sources only, which is trivial. Logging only rejected (or dropped) packets from other sources to the same port or service would be useful, but not easy. This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22 firewalld-0.4.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7 firewalld-0.4.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7 firewalld-0.4.0-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7 firewalld-0.4.0-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7 firewalld-0.4.0-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |