home firewall log tweaking
Results 1 to 2 of 2

Thread: home firewall log tweaking

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324

    home firewall log tweaking

    When you configure your home firewall, do you log everything?

    I like to poke around in my firewall logs... but its a lot of the same.
    Scans for port 137,139,1026,1027,1433,1444, etc.
    You know the drill. With all that in there, it becomes very boring looking through.

    So, I decided to just not log those specific ports denied inbound (the most common hit ports most likely generated by worms). I still log everything that is permitted inbound. A benefit of it might be that it'll use less resources sending those over to syslog?

    Is that a stupid thing to do?

    Now when I look at it... I'll notice the stuff that isn't so common. (generated by worms or scripts)
    Not that I expect much...
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i like to log it all then do 'find /I "allowed" firewall.log >allowed.txt. (or grep). i dont think syslog messages take up that much network bandwidth. naming each rule according to what its actually allowing/blocking helps make your searching easier. like including all traffic to remote 80 in a rule named 'Web'. then you can refine your search to "Rule 'Web': Permitted: Out TCP" or omit it. using a rule named 'all' for everthing that isn't already defined or is ambiguous by nature and putting it lowest on the list allows you to see just the non-common traffic.

    logging everything can give you a better idea of whats going on when you see an entry that looks a little odd. you can then grep for all entries for that ip in the original log and see only those entries to get a bigger picture. kiddies try allot of the same things that worms do only more of them.

    all this is probably not necessary and if its blocked its not anything to worry about but i still think its fun and it makes me feel in control.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides