[Firehol-support] psad and firehol

Costa Tsaousis costa at tsaousis.gr
Mon Dec 29 21:48:10 GMT 2003 

This is normal since the default rules have not been removed. The rules
I sent you "overwrite" the defaults because they appear just before
them. This means that although psad complains, it should work as
expected now. Does it?

Note: I noticed in psad documentation that it might require a space
after the log prefix. Please replace "DROP" in the rules I sent you with
"DROP ".

Run a check to see if the rules I sent you allow psad to work as
expected, and if they do just add --no-fwcheck to psad to prevent the
psad alarm about the possibility of a miss-configured firewall from
being sent to you.

Costa

On Δευ, 2003-12-29 at 21:24, Jerome BENOIT wrote:
> Thanks for your reply:
> I have just try it,
> and unfortunaltely I get the same email message from
> psad.
> 
> Jerome
> 
> Costa Tsaousis wrote:
> > At the end of each interface add:
> > 
> >     server any psad drop log "DROP"
> > 
> > At the end of all interfaces add:
> > 
> > interface any psad
> >     server any psad drop log "DROP"
> > 
> > 
> > At the end of all routers add:
> > 
> > router psad
> >     server any psad drop log "DROP"
> > 
> > 
> > These will overwrite the default DROP rules added by FireHOL.
> > 
> > Costa
> > 
> > On Παρ, 2003-12-26 at 22:58, Jerome BENOIT wrote:
> > 
> >>Hello List,
> >>
> >>I have just written down my first FireHOL script:
> >>my first trouble comes from psad: it emails the message:
> >>
> >>  ** The INPUT chain in the iptables ruleset on _CHANGEME_ includes a
> >>     default LOG rule for all protocols, but the rule does not have a log
> >>     prefix of "DROP".  It appears as though the log prefix is set to
> >>     "IN-unknown:".  psad will not be able to detect scans without adding
> >>     --log-prefix "DROP" to the rule.
> >>
> >>
> >>I have try to put the following line to my script:
> >>
> >>FIREHOL_LOG_OPTIONS="--log-prefix \"DROP\""
> >>
> >>but I get an error message saying that iptable does not support
> >>twice the same option.
> >>
> >>Is there a clean to satisfy psad ?
> >>
> >>Thanks inadvance,
> >>Jerome
> >>
> >>PS:
> >>Please CC your reponse to my email address
> >>as I am not a memeber the list, thanks.
> >>
> >>
> >>

More information about the Firehol-support mailing list