El 11/09/10 03:43, Michael Rash escribió:
> On Sep 09, 2010, Sim?n wrote:
>
>>    Hi,
>> I have that rule:
>>
>>      Chain INBOUND (1 references)
>>      target     prot opt source               destination
>>      ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state
>>      RELATED,ESTABLISHED
>>      ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state
>>      RELATED,ESTABLISHED
>>
>> But I have sent, in my mail, only the LOG rules because the warning was
>> about this.
>> Sorry, but I see now that I didn't send the explanation of warning: :-[
>>
>>      [-] You may just need to add a default logging rule to the INPUT chain 
>> on xxxx.  For more information, see the file "FW_HELP" in
>>           the psad sources directory or visit:
>>
>>           http://www.cipherdyne.org/psad/docs/fwconfig.html
>>
>> I have received this warning only one time. Perhaps it was a temporary
>> error of iptables or psad, no?
> Did you happen to receive that email after a reboot?  If so, it is possible
> that psad is not being executed until after the iptables policy is
> instantiated (by the init scripts).  If you manually restart psad with the
> init script do you receive the warning?

I've tested this now and I haven't received any warning.

> Thanks,
>
> --Mike
>
>
>> Regards.
>>
>> El 09/09/10 14:17, Michael Rash escribió:
>>> On Aug 30, 2010, Sim?n wrote:
>>>
>>>>     Hi,
>>> Hello,
>>>
>>>>        I have received this warning today: "[psad-status] firewall setup
>>>> warning on xxxxxx!". It's the first time and I use psad for over a year.
>>>>        My iptables LOG policy is the next:
>>>> _________________________________________________________________________________________
>>>> $ sudo iptables -L
>>>>
>>>>       Chain INPUT (policy DROP)
>>>>       target     prot opt source               destination
>>>>       ......
>>>>       LOG_FILTER  all  --  anywhere             anywhere
>>>>       LOG        all  --  anywhere             anywhere            LOG
>>>>       level info prefix `Unknown Input'
>>>>
>>>>       Chain FORWARD (policy DROP)
>>>>       target     prot opt source               destination
>>>>       ......
>>>>       LOG_FILTER  all  --  anywhere             anywhere
>>>>       LOG        all  --  anywhere             anywhere            LOG
>>>>       level info prefix `Unknown Forward'
>>>>
>>>>       Chain OUTPUT (policy DROP)
>>>>       target     prot opt source               destination
>>>>       ......
>>>>       LOG_FILTER  all  --  anywhere             anywhere
>>>>       LOG        all  --  anywhere             anywhere            LOG
>>>>       level info prefix `Unknown Output'
>>>>
>>>>       Chain LOG_FILTER (5 references)
>>>>       target     prot opt source               destination
>>>>
>>>>       Chain LSI (52 references)
>>>>       target     prot opt source               destination
>>>>       LOG_FILTER  all  --  anywhere             anywhere
>>>>       LOG        tcp  --  anywhere             anywhere            tcp
>>>>       flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info
>>>>       prefix `Inbound '
>>>>       LOG        tcp  --  anywhere             anywhere            tcp
>>>>       flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info
>>>>       prefix `Inbound '
>>>>       LOG        icmp --  anywhere             anywhere            icmp
>>>>       echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound 
>>>> '
>>>>       LOG        all  --  anywhere             anywhere            limit:
>>>>       avg 5/sec burst 5 LOG level info prefix `Inbound '
>>>>       ......
>>>>
>>>>       Chain LSO (0 references)
>>>>       target     prot opt source               destination
>>>>       LOG_FILTER  all  --  anywhere             anywhere
>>>>       LOG        all  --  anywhere             anywhere            limit:
>>>>       avg 5/sec burst 5 LOG level info prefix `Outbound '
>>>>       ......
>>>>
>>>> _________________________________________________________________________________________
>>>>
>>>> Isn't it correct?
>>> It looks to me as though you don't have any iptables rules that accept 
>>> packets
>>> based on connection state.  For example, in the INPUT chain, you should have
>>> a rule like this:
>>>
>>> # iptables -nL INPUT |grep state |grep ACCEPT
>>> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state 
>>> RELATED,ESTABLISHED
>>>
>>> This will accept all packets that are part of established connections.
>>>
>>> Thanks,
>>>
>>> --Mike
>>>
>>>> Regards.
>>> ------------------------------------------------------------------------------
>>> This SF.net Dev2Dev email is sponsored by:
>>>
>>> Show off your parallel programming skills.
>>> Enter the Intel(R) Threading Challenge 2010.
>>> http://p.sf.net/sfu/intel-thread-sfd
>>> _______________________________________________
>>> psad-discuss mailing list
>>> psad-discuss@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>> ------------------------------------------------------------------------------
>> This SF.net Dev2Dev email is sponsored by:
>>
>> Show off your parallel programming skills.
>> Enter the Intel(R) Threading Challenge 2010.
>> http://p.sf.net/sfu/intel-thread-sfd
>> _______________________________________________
>> psad-discuss mailing list
>> psad-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/psad-discuss
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss

Reply via email to