Changing APF log for TDP/UDP drops Published: Aug 27, 2004
  • Rating

    0/5

If youre tired of seeing your /var/log/messages log file full of dropped traffic from APF firewall then we have a solution! Well create a separate log file for TCP/UDP OUTPUT and drops which will leave your messages log nice and clean for easy browsing!

If you’re tired of seeing your /var/log/messages log file full of dropped traffic from APF firewall then we have a solution! We’ll create a separate log file for TCP/UDP OUTPUT and drops which will leave your messages log nice and clean for easy browsing!

Requirements:

APF Firewall 0.9.3 or above. It may work on previous versions but we haven’t tested. If you’re using an older version you should upgrade anyways. Install APF by following our firewall tutorial.

Changing APF’s configuration:

1) Login to your server and su to root shell.

2) Create a new log file just for the TCP/UDP output/drops from APF.
touch /var/log/iptables

Set user permissions to restrict access.
chmod 600 /var/log/iptables

3) Change the syslog so it will tell iptables to use your new log file.
First lets make a backup to be safe:
cp /etc/syslog.conf /etc/syslog.conf.bak

pico /etc/syslog.conf

4) Add the following line at the bottom

# Send iptables LOGDROPs to /var/log/iptables
kern.=debug /var/log/iptables

5) Save the changes, ctrl + X then Y

6) Reload the syslogd service for the change to take effect.
/sbin/service syslog reload

7) Open APF and edit the firewall configuration.
First lets make a backup to be safe:
cp /etc/apf/firewall /etc/apf/firewall.bak

pico /etc/apf/firewall

Find the following: DROP_LOG

You should see this: P.S. USE OUR PRINTER FRIENDLY VERSION TO AVOID TEXT WRAPPING, LINK AT TOP!

if [ "$DROP_LOG" == "1" ]; then
# Default TCP/UDP INPUT log chain
        $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-prefix "** IN_TCP DROP ** "
        $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-prefix "** IN_UDP DROP ** "

Replace with the following:

if [ "$DROP_LOG" == "1" ]; then
# Default TCP/UDP INPUT log chain
        $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug
        $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug

Find the following one more time: DROP_LOG

You should see this:

if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then
# Default TCP/UDP OUTPUT log chain
        $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $IF -j LOG --log-prefix "** OUT_TCP DROP ** "
        $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $IF -j LOG --log-prefix "** OUT_UDP DROP ** "

Replace with the following:

if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then
# Default TCP/UDP OUTPUT log chain
        $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $IF -j LOG --log-level debug
        $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $IF -j LOG --log-level debug


8) Save the changes to firewall.
Ctrl + X then Y

9) Restart apf for the changes to take effect.

/etc/apf/apf –r

10) Make sure the new log file is getting written to:
tail –f /var/log/iptables

You should see things like:

Aug 27 15:48:31 fox kernel: IN=eth0 OUT= MAC=00:0d:61:37:76:84:00:d0:02:06:08:00:08:00 SRC=192.168.1.1 DST=192.168.1.1 LEN=34 TOS=0x00 PREC=0x00 TTL=118 ID=57369 PROTO=UDP SPT=4593 DPT=28000 LEN=14

Also check the messages log to make sure APF still isn’t writing to it.
tail –f /var/log/messages

Final notes:
APF is written by R-fx Networks: http://www.rfxnetworks.com/apf.php

Written by Ramprage

  • Rating

    0/5

Related Articles

Comments (11)

  • Gravatar - swampy
    swampy 14:08, September 6, 2004
    i tried this tut on apf 0.9.4 and i does not work i get errors when trying to restart apf good job i backed up files first.
  • Gravatar - pixel
    pixel 13:27, September 20, 2004
    Worked like a charm for me - thx!
  • Gravatar - ryan
    ryan 22:17, September 21, 2004
    great idea -- will review this for added internal feature.
  • Gravatar - vijay srivastava
    vijay srivastava 20:58, September 22, 2004
    how to remove APF from my server any uninstall procedure.
  • Gravatar - squalito
    squalito 14:12, September 29, 2004
    I do not have exactly the same lines in my conf.apf. <br />
    I have the last version : Apf.0.9.4-6<br />
    <br />
    I updated exisitng lines :<br />
    if [ "$DROP_LOG" == "1" ]; then<br />
    # Default TCP/UDP INPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_TCP DROP ** " --log-tcp-options --log-ip-options<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_UDP DROP ** " --log-ip-options<br />
    else<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_TCP DROP ** "<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_UDP DROP ** "<br />
    fi<br />
    fi<br />
    <br />
    if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then<br />
    # Default TCP/UDP OUTPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** " --log-tcp-options --log-ip-options<br />
    $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** " --log-ip-options<br />
    else<br />
    $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** "<br />
    $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** "<br />
    fi<br />
    fi<br />
    <br />
    <br />
    by these lines<br />
    if [ "$DROP_LOG" == "1" ]; then<br />
    # Default TCP/UDP INPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug --log-tcp-options --log-ip-options<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug --log-ip-options<br />
    else<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug<br />
    fi<br />
    fi<br />
    <br />
    if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then<br />
    # Default TCP/UDP OUTPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug --log-tcp-options --log-ip-options<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug --log-ip-options<br />
    else<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug<br />
    fi<br />
    fi<br />
    <br />
    <br />
    and evrything is working fine<br />
    <br />
    Thanks for this article<br />
    Squalito<br />
  • Gravatar - rYno267
    rYno267 05:24, November 15, 2004
    When I do <br />
    "tail –f /var/log/iptables"<br />
    <br />
    I get this: "tail: .f: No such file or directory<br />
    ==> /var/log/iptables <==<br />
    "<br />
    <br />
    Any Ideas? thanks.
  • Gravatar - Madlaker
    Madlaker 20:24, December 4, 2004
    I get the same as Ryno above. I did a locate on iptables and there is no iptables under /var let alone /var/logs.<br />
    <br />
    Is there another step we have to preform?<br />
    <br />
    Any ideas would be appreciated.
  • Gravatar - Madlaker
    Madlaker 20:46, December 4, 2004
    Just an update..<br />
    <br />
    Ok, simple solution.<br />
    <br />
    when you restarted the firewall like me, you probably go an error that you missed like I did the first time.<br />
    <br />
    /etc/apf/apf: line 1: ifconfig: command not found<br />
    <br />
    This is because when we are in the su environment instead of su -.<br />
    <br />
    1)just type cd then the enter key<br />
    then su - then the enter key<br />
    <br />
    2)now type /etc/apf/apf –r and you shouldn't get that error.<br />
    <br />
    3) Now type tail –f /var/log/iptables and you should see all the drop packets showing up.<br />
    <br />
    If you get any more errors, be sure to look through all the instructions above.
  • Gravatar - Dennis
    Dennis 00:41, January 7, 2005
    I have .9.4 of APF and the lines you say to replace are different in that version. Fir example, here is the first of the two changes I made:<br />
    <br />
    if [ "$DROP_LOG" == "1" ]; then<br />
    # Default TCP/UDP INPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG -$<br />
    $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG -$<br />
    else<br />
    <br />
    As you see, the "if then else" parts are missing:<br />
    <br />
    if [ "$EXLOG" == "1" ]; then<br />
    else<br />
    <br />
    I guessed that I should make the changes and leave these items in although you did not mention them.<br />
    <br />
    The second section I changed per your instructions are here:<br />
    <br />
    if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then<br />
    # Default TCP/UDP OUTPUT log chain<br />
    if [ "$EXLOG" == "1" ]; then<br />
    $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** " --log-tcp-option$<br />
    $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** " --log-ip-options<br />
    else<br />
    $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** "<br />
    $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** "<br />
    fi<br />
    <br />
    But I am getting errors, so I suspect something isn't right. <br />
    <br />
    I need some help on this for sure.<br />
    <br />
    Thanks
  • Gravatar - Izzee
    Izzee 12:39, November 21, 2005
    ------------------------------------------<br />
    DO NOT USE THIS TUTIRIAL FOR APF VERSIONS HIGHER THAN 0.9.3<br />
    ------------------------------------------<br />
    <br />
    Latest APF version 0.9.6-1<br />
    /etc/apf/firewall<br />
    Has different $DROP_LOG entries to the ones above.<br />
    Now called $LOG_DROP with completely different rules.<br />
    No point in this tutorial now as it is obsolete.<br />
    <br />
    RAMPRAGE - This tutorial needs updating as a matter of urgency!!
  • Gravatar - webhost
    webhost 20:26, January 15, 2006
    I been meaning to ask this in the past but never have untill now.<br />
    <br />
    I restarted the apf and I get this :<br />
    <br />
    [/etc/apf]# ./apf -r<br />
    iptables v1.2.9: host/network `-' not found<br />
    Try `iptables -h' or 'iptables --help' for more information.<br />
    iptables v1.2.9: host/network `-' not found<br />
    Try `iptables -h' or 'iptables --help' for more information.<br />
    iptables v1.2.9: host/network `-' not found<br />
    Try `iptables -h' or 'iptables --help' for more information.<br />
    iptables v1.2.9: host/network `-' not found<br />
    Try `iptables -h' or 'iptables --help' for more information.<br />
    <br />
    Any idea as to why I am getting this? I dont know about any host/network.<br />
    <br />
    Thanks for you help

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2024 WebHostGear.com