[Firehol-support] Disabling logging of certain packets and client restrictions
costa at tsaousis.gr
Sat Apr 23 13:10:47 BST 2005
1. You can restrict outgoing connections for all local users except
certain ones. For example:
client http accept user root
will allow outgoing web sessions only for root. Check the documentation.
You can allow traffic for users, groups, UNIX session IDs, process IDs,
specific commands, etc.
2. You can drop any service you like, and if you don't 'log' or 'loglimit'
it, it will not be logged. This however checks both source and destination
ports, so that if traffic is spoofed to come from illegal ports it will be
logged. If you want to drop all traffic for certain ports, you can define
something like this:
and drop 'badsmtp'. This will ignore client ports, so that anything going
to your tcp/25 port will be logged.
On production systems, I suggest to use ULOGD, not the standard syslog.
This has much more power that syslog and once ULOGD is installed and
running, the only thing needed to use it, is to put:
at the top of firehol.conf
On Sat, April 23, 2005 1:58, Rick Marshall said:
> that would be good because we get a lot of ms chatter from pc's on the c
> lass public network that our adsl connects to.
> Marcus Williams wrote:
>>I've had firehol running on a server for some time and its working great
>>but there are two things I'd like to do:
>>1) restrict outgoing connections (but still be able to send mail/dns etc)
>>2) disable logging of the ms backscatter I get on the subnet my machine
>>is one (so ignore packets to 135/445 etc rather than logging the blocked
>>I know how to do (1) in that presumably instead of having "client all"
>>I'll just have a set of client lines that allow the machine to do smtp
>>(its an mx for a number of domains and needs to be able to send mail)
>>and dns (needs dns to send mail). So all I should be doing is replacing
>>the client line for "client smtp dns". I also want to be able to update
>>my machine (it runs debian) so I need to add client lines that allow
>>web/ftp to the uk mirror but the uk mirror for debian is a round robin
>>to a number of IP's so how do I do that without adding each IP?
>>For (2), I already block this traffic in that I dont accept it
>>explicitly but what I'd really like to do is not log any of this traffic
>>(specifically the MS/samba ports) because it blows my logs up to stupid
>>sizes. How do I do that? Can I add an explicit drop for say samba with a
>>nolog option (does that exist?)
More information about the Firehol-support