Following on from my early success at get IPv6 running, I soon hit a significant issue: firewall logging.
Now this need not be a “blocker” for everyone, but I take my firewall logging duties quite seriously…!
shorewall IPv4 logging
Currently I have IPv4 shorewall configured to log not using the standard syslog mechanism, but instead to use ulogd. This allows me to easily log firewall activity to an entirely separate set of log files very easily. It is absolutely not mandatory, but it’s neat and tidy. I then have fwlogwatch to nightly analyse the logs and automatically email the interesting bits to me for occasional checking.
To enable this I have appropriate pointers to use of ULOG in shorewall’s policy and rules files as follows:
policy...ext all DROP ULOG
and, for example:
ACCEPT:ULOG all fwall 47
One then has an appropriate config in /etc/ulogd.conf to file things where you want them.
shorewall6 IPv6 logging
The syslog option I specifically did not want, so I decided I’d better find out about nflog (Net Filter Log). It turns out that nflog is actually more commonly referred to as ulogd2, and is a dramatically enhanced version of the original ulog. In fact it’s so different that it is, for all practical purposes, an entirely different thing. Trying to relate ulog to ulog2 is a pretty futile exercise. Work on the basis that they are unrelated and it’ll prove less frustrating.
Anyway, the learning curve with ulogd2 was a bit steep, but it turns out to be a very neat product. Here I will present some key points that should help you to get it up, running and integrated on a Ubuntu system. Oh, and it’s not available as a pre-built package… Sorry – didn’t I mention that?
Implementing NFLOG (aka ulogd2) on a Ubuntu firewall
The first step to follow is to get hold of the ulogd2 source tree and build it. I worried that this would take me some time, but found a tremendously helpful article someone had already written which aided me a lot. (Thank you Pollux!)
- I’d suggest leaving the build PREFIX unspecified (i.e. default) so it will ultimately install in the /usr/local/ hierarchy. This means you can get it all working in parallel with an existing ulogd installation – much cleaner and safer!
- Since we want to emulate ulogd just in so far as we are able to log to a disk file, disable any of the Postgres or MySQL build options to make things more compact and simple (unless of course you want to make use of these neat new features within ulogd2!)
- Much of the article referenced assume that you will be logging to a database – keep it simple for now and ignore that.
ulogd2 config highlights
- IPv6 to be logged to one file
- IPv4 to be logged to another file (this used to be done using the original ulogd)
plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so" plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so" plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so" plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so" #plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so" plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so" plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so" #plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so" #plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so" #plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so" #plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so" #plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so" #plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so" plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so"
# this is a stack for logging packets to syslog after a collect via NFLOG stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu4:LOGEMU stack=log6:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu6:LOGEMU
# Using log4 for IPv4 [log4] group=4 numeric_lable=4 # Using log6 for IPv6 [log6] group=6 numeric_label=6
# IPv4 [emu4] file="/var/log/firewall/nflog4.log" sync=1 # IPv6 [emu6] file="/var/log/firewall/nflog6.log" sync=1
Changes to shorewall configs
So my (very very over-logged – but then my IPv6 is still at the experimental stage…!) policy file is now:
#Source Dest Policy Log Burst/Limitfwall all DROP NFLOG(6)int all DROP NFLOG(6)ext all DROP NFLOG(6)all all DROP NFLOG(6)
ACCEPT:NFLOG(6) ext fwall ipv6-icmpACCEPT:NFLOG(6) fwall ext ipv6-icmp
shorewall (IPv4) changes
And over in my IPv4 shorewall I just changed any reference to ULOG to read NFLOG(4), for example, where policy previously read:
office all DROP ULOG
office all DROP NFLOG(4)