Following on from my early success at get IPv6 running, I soon hit a significant issue: firewall logging.
Now this need not be a “blocker” for everyone, but I take my firewall logging duties quite seriously…!
shorewall IPv4 logging
Currently I have IPv4 shorewall configured to log not using the standard syslog mechanism, but instead to use ulogd. This allows me to easily log firewall activity to an entirely separate set of log files very easily. It is absolutely not mandatory, but it’s neat and tidy. I then have fwlogwatch to nightly analyse the logs and automatically email the interesting bits to me for occasional checking.
To enable this I have appropriate pointers to use of ULOG in shorewall’s policy and rules files as follows:
policy...ext all DROP ULOG
...
and, for example:
rules...ACCEPT:ULOG all fwall 47
.
.
.
One then has an appropriate config in /etc/ulogd.conf to file things where you want them.
shorewall6 IPv6 logging
- syslog
- nflog
The syslog option I specifically did not want, so I decided I’d better find out about nflog (Net Filter Log). It turns out that nflog is actually more commonly referred to as ulogd2, and is a dramatically enhanced version of the original ulog. In fact it’s so different that it is, for all practical purposes, an entirely different thing. Trying to relate ulog to ulog2 is a pretty futile exercise. Work on the basis that they are unrelated and it’ll prove less frustrating.
Anyway, the learning curve with ulogd2 was a bit steep, but it turns out to be a very neat product. Here I will present some key points that should help you to get it up, running and integrated on a Ubuntu system. Oh, and it’s not available as a pre-built package… Sorry – didn’t I mention that?
Implementing NFLOG (aka ulogd2) on a Ubuntu firewall
The first step to follow is to get hold of the ulogd2 source tree and build it. I worried that this would take me some time, but found a tremendously helpful article someone had already written which aided me a lot. (Thank you Pollux!)
- I’d suggest leaving the build PREFIX unspecified (i.e. default) so it will ultimately install in the /usr/local/ hierarchy. This means you can get it all working in parallel with an existing ulogd installation – much cleaner and safer!
- Since we want to emulate ulogd just in so far as we are able to log to a disk file, disable any of the Postgres or MySQL build options to make things more compact and simple (unless of course you want to make use of these neat new features within ulogd2!)
- Much of the article referenced assume that you will be logging to a database – keep it simple for now and ignore that.
ulogd2 config highlights
- IPv6 to be logged to one file
- IPv4 to be logged to another file (this used to be done using the original ulogd)
plugins section
plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so" plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so" plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so" #plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so" plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so" plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so" #plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so" #plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so" #plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so" #plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so" #plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so" #plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so" plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so"
stacks section
# this is a stack for logging packets to syslog after a collect via NFLOG stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu4:LOGEMU stack=log6:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu6:LOGEMU
log section
# Using log4 for IPv4 [log4] group=4 numeric_lable=4 # Using log6 for IPv6 [log6] group=6 numeric_label=6
log-specific sections
# IPv4 [emu4] file="/var/log/firewall/nflog4.log" sync=1 # IPv6 [emu6] file="/var/log/firewall/nflog6.log" sync=1
Changes to shorewall configs
shorewall6 additions
So my (very very over-logged – but then my IPv6 is still at the experimental stage…!) policy file is now:
#Source     Dest       Policy      Log       Burst/Limitfwall      all       DROP       NFLOG(6)int       all       DROP       NFLOG(6)ext       all       DROP       NFLOG(6)all       all       DROP       NFLOG(6)
ACCEPT:NFLOG(6) ext   fwall  ipv6-icmpACCEPT:NFLOG(6) fwall  ext   ipv6-icmp
shorewall (IPv4) changes
And over in my IPv4 shorewall I just changed any reference to ULOG to read NFLOG(4), for example, where policy previously read:
office all DROP ULOG
office all DROP NFLOG(4)
Update: with ulogd2 STILL beta, you are still required to build it yourself. To make matters even a touch more complicated, the latest beta4 of ulogd2 required the latest and greatest libnetfilter_log to be built and installed also (i.e. libnetfilter_log >= 1.0) Also the newest libnetfilter_conntrack…
The sooner ulogd2 goes mainstream and is available as a binary build in distros the better!
Thanks a lot for this post, it’s easy to understand and well written.
Some advice for people who, like me, are copypasting from this page: do note that the double-quotes in log-specific sections need to be replaced after you paste them. ” is different from †🙂
Thanks!! I will check that – that’s exactly the sort of feedback I like – if someone doesn’t mention it I wouldn’t think to check. 🙂
Now fixed! Thanks again.