On Aug 30, 2010, Sim?n wrote: > Hi,
Hello, > I have received this warning today: "[psad-status] firewall setup > warning on xxxxxx!". It's the first time and I use psad for over a year. > My iptables LOG policy is the next: > _________________________________________________________________________________________ > $ sudo iptables -L > > Chain INPUT (policy DROP) > target prot opt source destination > ...... > LOG_FILTER all -- anywhere anywhere > LOG all -- anywhere anywhere LOG > level info prefix `Unknown Input' > > Chain FORWARD (policy DROP) > target prot opt source destination > ...... > LOG_FILTER all -- anywhere anywhere > LOG all -- anywhere anywhere LOG > level info prefix `Unknown Forward' > > Chain OUTPUT (policy DROP) > target prot opt source destination > ...... > LOG_FILTER all -- anywhere anywhere > LOG all -- anywhere anywhere LOG > level info prefix `Unknown Output' > > Chain LOG_FILTER (5 references) > target prot opt source destination > > Chain LSI (52 references) > target prot opt source destination > LOG_FILTER all -- anywhere anywhere > LOG tcp -- anywhere anywhere tcp > flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info > prefix `Inbound ' > LOG tcp -- anywhere anywhere tcp > flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info > prefix `Inbound ' > LOG icmp -- anywhere anywhere icmp > echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' > LOG all -- anywhere anywhere limit: > avg 5/sec burst 5 LOG level info prefix `Inbound ' > ...... > > Chain LSO (0 references) > target prot opt source destination > LOG_FILTER all -- anywhere anywhere > LOG all -- anywhere anywhere limit: > avg 5/sec burst 5 LOG level info prefix `Outbound ' > ...... > > _________________________________________________________________________________________ > > Isn't it correct? It looks to me as though you don't have any iptables rules that accept packets based on connection state. For example, in the INPUT chain, you should have a rule like this: # iptables -nL INPUT |grep state |grep ACCEPT ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED This will accept all packets that are part of established connections. Thanks, --Mike > Regards. ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
