On Aug 30, 2010, Sim?n wrote:

>   Hi,

Hello,

>      I have received this warning today: "[psad-status] firewall setup 
> warning on xxxxxx!". It's the first time and I use psad for over a year.
>      My iptables LOG policy is the next:
> _________________________________________________________________________________________
> $ sudo iptables -L
> 
>     Chain INPUT (policy DROP)
>     target     prot opt source               destination
>     ......
>     LOG_FILTER  all  --  anywhere             anywhere
>     LOG        all  --  anywhere             anywhere            LOG
>     level info prefix `Unknown Input'
> 
>     Chain FORWARD (policy DROP)
>     target     prot opt source               destination
>     ......
>     LOG_FILTER  all  --  anywhere             anywhere
>     LOG        all  --  anywhere             anywhere            LOG
>     level info prefix `Unknown Forward'
> 
>     Chain OUTPUT (policy DROP)
>     target     prot opt source               destination
>     ......
>     LOG_FILTER  all  --  anywhere             anywhere
>     LOG        all  --  anywhere             anywhere            LOG
>     level info prefix `Unknown Output'
> 
>     Chain LOG_FILTER (5 references)
>     target     prot opt source               destination
> 
>     Chain LSI (52 references)
>     target     prot opt source               destination
>     LOG_FILTER  all  --  anywhere             anywhere
>     LOG        tcp  --  anywhere             anywhere            tcp
>     flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info
>     prefix `Inbound '
>     LOG        tcp  --  anywhere             anywhere            tcp
>     flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info
>     prefix `Inbound '
>     LOG        icmp --  anywhere             anywhere            icmp
>     echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
>     LOG        all  --  anywhere             anywhere            limit:
>     avg 5/sec burst 5 LOG level info prefix `Inbound '
>     ......
> 
>     Chain LSO (0 references)
>     target     prot opt source               destination
>     LOG_FILTER  all  --  anywhere             anywhere
>     LOG        all  --  anywhere             anywhere            limit:
>     avg 5/sec burst 5 LOG level info prefix `Outbound '
>     ......
> 
> _________________________________________________________________________________________
> 
> Isn't it correct?

It looks to me as though you don't have any iptables rules that accept packets
based on connection state.  For example, in the INPUT chain, you should have
a rule like this:

# iptables -nL INPUT |grep state |grep ACCEPT
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
RELATED,ESTABLISHED

This will accept all packets that are part of established connections.

Thanks,

--Mike

> Regards.

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to