Logging

Chris Brenton cbrenton at chrisbrenton.org
Thu Aug 11 22:54:29 CEST 2005


On Thu, 2005-08-11 at 11:49, Svenne Krap wrote:
>
> Is there some way to get netfilter to collect rule hits (like with no -j 
> clause) for a each port/ip-address individually within a range ?
> Other than creating thousands of lines of rules and add them to my 
> "firewall-startup" script (which is currently slightly less than 80 rules).

Have LogWatch process the /var/log/message file and produce a medium
level detail report. You'll get output similar to the following:

Dropped 603 packets on interface eth3
  From 4.78.20.2 - 12 packets to udp(53)
  From 12.120.1.21 - 10 packets to
tcp(4355,10045,12579,17520,18552,36906,53249,54319,58702,62703)
  From 12.120.1.22 - 9 packets to
tcp(4063,11107,13063,30538,37001,40758,45575,48153,57370)
  From 12.130.62.16 - 24 packets to udp(53)
  From 60.26.129.15 - 8 packets to
tcp(5554,9898,5554,9898,5554,9898,5554,9898)
  From 61.152.167.59 - 4 packets to tcp(22,22,22,22)
  From 61.221.58.212 - 4 packets to tcp(22,22,22,22)
  From 62.105.6.52 - 1 packet to icmp(0)

You can then further parse it as needed. You don't need a unique log
rule for each port and/or IP. LogWatch will sort it all out for you. 

HTH,
Chris





More information about the netfilter mailing list