<< Back to man.ChinaUnix.net

Log Settings Administrative Web Page

In this section you can configure some useful options.

The page is divided in four sections. Each of them are described below:

Log viewing options

Figure 9.3. Configuration of log viewer

Configuration of log viewer

Lets you take affect on the output of the log lines:

Number of lines to display

Specifies how many log lines you want the log viewer to display on one page.

Sort in reverse chronological order

Tick this on if you like the log viewer to display cronologically newer log lines first.

Log summaries

Figure 9.4. Configuration of log summaries

Configuration of log summaries

This lets you configure the summary page, which will be described later in this document:

Log summaries for xxx days

Lets you define for how many days you would like to save the daily summaries on disk.

Detail level

Lets you decide the detail level of the log summary. You can choose from the following possibilities: Low, Medium, High. Due to this configuration the summary will provide you with less, more or much information.

Remote logging

Figure 9.5. Configuration of remote logging

Configuration of remote logging

It is possible to let Endian firewall log all its log files also to a remote syslog server. This is very useful if you like to have all your logs of your company on one centralized log server and it is useful for example to have access to log files in case of a fatal disaster. In order to enable remote logging you need to provide the hostname or ip address of the remote syslog server within the text field labeled Syslog server and then tick on the checkbox Enabled. Endian Firewall then will both, log to the remote syslog server and to the local log files.

Note

Currently not every service is able to use syslog. Therefore some can only write down to log files and cannot log to a remote syslog server. Services which currently cannot use syslog are: all sort of HTTP services (administration web server, HTTP proxy, HTTP content filter, HAVP), FTP proxy, IDS (snort).

Firewall logging

Figure 9.6. Configuration of firewall logging

Configuration of firewall logging

Usually if Endian Firewall has a public ip address and therefore is the door to the outside, there are very much packets which will be blocked by the firewall. Not all of these are hostile attempts fo attackers, but will nevertheless be logged and create much data. Here you have the possibility to globally configure what you like to have logged and which not:

Log packets with BAD constellation of TCP flags

TCP allows everybody to set flags in constellations which make not sense at all. Such constellations may confuse firewalls and/or computers in general and allows an attacker to gather more information than you like to share. Especially portscanners do this. Endian Firewall block such attempts. Tick this on if you like to have it also logged. You will find such attempts within the firewall log resulting as packets which passed the chain BADTCP.

Log portscans

You may enable portscan detection by ticking this checkbox on. The portscan detection will be performed using the netfilter psd match. You will find the logged portscans within the firewall log resulting as packets which passed the chain PORTSCAN.

Note

Portscans will never be blocked! They will only be logged! If you have not configured any portforwardings a portscan of an Endian Firewall anyways will not show the attacker anythin of interest, since there is nothing open.

Log NEW connections without SYN flag

Packets which should establish a TCP connection must have set the SYN flag. If it is not set, it is not sane. Endian Firewall will block such packets and you can log the attempts if you tick this checkbox on.

Log refused packets

If you tick this on, Endian Firewall will log all connection attempts which have been denied by Endian Firewall. Since Endian Firewall as default denies all connection attempts and allows only what you have defined, this certainly will lead in a bunch of unneeded data, so you may toggle this off. It may be useful to check which ports you need to open for applications for which you do not know which ports they need.

Log accepted outgoing connections

Tick this on if you would like to globally log all connections which has successfully passed Endian Firewall without being dropped. You can use this to test if your newly created rules are correct since you see the connections made by applications.

Note

Check your local law! Enabling this may be prohibited by privacy law in most countries! But some countries may enforce you by law to enable this (For example the antiterror law in Italy). If you need to enable it, think about to backup your logs since you need them also after a probably case of fatal disaster! Ensure that nobody has access to backups and log files (privacy law)!