From: Paul G. <pg...@re...> - 2006-02-02 05:51:03
|
Elio Tondo wrote: > ... > My questions are: > > - are there packet types that are not logged (e.g. SYN) and are there > ways to log them? There are lots of packets that are not logged under normal circumstances. RELATED and ESTABLISHED are some of them. Broadcasts are others. Just run 'shorewall show' to view the iptables and you'll see all of the rules which do not have logging associated. > - can the RELATED / ESTABLISHED distinction in 3.x help to track > the problem (I've read http://shorewall.net/shorewall_logging.html)? Possibly, but tcpdump is much more likely to yield what you're looking for. > - any other idea to log the traffic outside Shorewall (to install an > IDS like Snort)? Regardless of any other advice about this problem, you *should* run Snort if you're running a publicly-accessible server. (And run something like logwatch or the Debian snort package which regularly summarises the results and sends them to you.) Paul |