Hi,
I have that rule:

    Chain INBOUND (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
    RELATED,ESTABLISHED
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state
    RELATED,ESTABLISHED

But I have sent, in my mail, only the LOG rules because the warning was 
about this.
Sorry, but I see now that I didn't send the explanation of warning: :-[

    [-] You may just need to add a default logging rule to the INPUT chain on 
xxxx.  For more information, see the file "FW_HELP" in
         the psad sources directory or visit:

         http://www.cipherdyne.org/psad/docs/fwconfig.html

I have received this warning only one time. Perhaps it was a temporary 
error of iptables or psad, no?
Regards.

El 09/09/10 14:17, Michael Rash escribió:
> On Aug 30, 2010, Sim?n wrote:
>
>>    Hi,
> Hello,
>
>>       I have received this warning today: "[psad-status] firewall setup
>> warning on xxxxxx!". It's the first time and I use psad for over a year.
>>       My iptables LOG policy is the next:
>> _________________________________________________________________________________________
>> $ sudo iptables -L
>>
>>      Chain INPUT (policy DROP)
>>      target     prot opt source               destination
>>      ......
>>      LOG_FILTER  all  --  anywhere             anywhere
>>      LOG        all  --  anywhere             anywhere            LOG
>>      level info prefix `Unknown Input'
>>
>>      Chain FORWARD (policy DROP)
>>      target     prot opt source               destination
>>      ......
>>      LOG_FILTER  all  --  anywhere             anywhere
>>      LOG        all  --  anywhere             anywhere            LOG
>>      level info prefix `Unknown Forward'
>>
>>      Chain OUTPUT (policy DROP)
>>      target     prot opt source               destination
>>      ......
>>      LOG_FILTER  all  --  anywhere             anywhere
>>      LOG        all  --  anywhere             anywhere            LOG
>>      level info prefix `Unknown Output'
>>
>>      Chain LOG_FILTER (5 references)
>>      target     prot opt source               destination
>>
>>      Chain LSI (52 references)
>>      target     prot opt source               destination
>>      LOG_FILTER  all  --  anywhere             anywhere
>>      LOG        tcp  --  anywhere             anywhere            tcp
>>      flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info
>>      prefix `Inbound '
>>      LOG        tcp  --  anywhere             anywhere            tcp
>>      flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info
>>      prefix `Inbound '
>>      LOG        icmp --  anywhere             anywhere            icmp
>>      echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
>>      LOG        all  --  anywhere             anywhere            limit:
>>      avg 5/sec burst 5 LOG level info prefix `Inbound '
>>      ......
>>
>>      Chain LSO (0 references)
>>      target     prot opt source               destination
>>      LOG_FILTER  all  --  anywhere             anywhere
>>      LOG        all  --  anywhere             anywhere            limit:
>>      avg 5/sec burst 5 LOG level info prefix `Outbound '
>>      ......
>>
>> _________________________________________________________________________________________
>>
>> Isn't it correct?
> It looks to me as though you don't have any iptables rules that accept packets
> based on connection state.  For example, in the INPUT chain, you should have
> a rule like this:
>
> # iptables -nL INPUT |grep state |grep ACCEPT
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
> RELATED,ESTABLISHED
>
> This will accept all packets that are part of established connections.
>
> Thanks,
>
> --Mike
>
>> Regards.
> ------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
>
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
> http://p.sf.net/sfu/intel-thread-sfd
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to