USE FIRELOGD TO ANALYZE YOUR FIREWALL

Firewalls are useful and needed, and now, with the versatility of iptables, organizations are using more Linux-based firewalls every day. If properly configured, firewalls can keep the bad guys out; still, it may be helpful to know what kinds of attacks your firewall prevents. To this end, some third-party tools, such as Firelogd, exist to help you analyze your firewall logs.

Firelogd is a simple application that watches your log files for suspicious firewall messages. You can run Firelogd two ways: against a written log file to report on its contents or in daemon mode to continuously scan the contents of the log file, usually /var/log/messages.

When running Firelogd, you specify the buffer size, which tells Firelogd to wait for a defined number of entries before mailing the chosen recipient of the logs. By default, this number is 10; this may, however, be too small, as a simple nmap scan could result in a number of generated e-mails. A setting of 50 or 100 is more appropriate. You can also customize the template that Firelogd uses to send its e-mail messages and specify an alternate log file to scan.

The e-mail messages that Firelogd sends are quite comprehensive. They identify the date and time of the rejected or logged packet, the name of the chain responsible for the resulting action against the packet, the input interface, the packet's TTL, the IP of the destination system and port number the packet was sent to, and the IP of the sender's system.

Firelogd is configurable via the configuration file /etc/firelog.conf, where a number of options can be set.

http://www.speakeasy.org/~roux/dmn/