Different APF log for TDP/UDP drops

We are able to create a separate log file for TCP/UDP OUTPUT and drops.

Requirements:

APF Firewall 0.9.3 or above. It may work on previous versions but haven’t tested. If you’re using an older version you should upgrade anyways.

Changing APF’s configuration:

1) Login to your server and su to root shell.

2) Create a new log file just for the TCP/UDP output/drops from APF.
touch /var/log/customlog

Set user permissions to restrict access.
chmod 600 /var/log/customlog

3) Change the syslog so it will tell iptables to use your new log file.
First lets make a backup to be safe:
cp /etc/syslog.conf /etc/syslog.conf.bak

vi /etc/syslog.conf

4) Add the following line at the bottom

# Send iptables LOGDROPs to /var/log/customlog
kern.=debug /var/log/customlog

5) Save the changes, ctrl + X then Y

6) Reload the syslogd service for the change to take effect.
service syslog reload

7) Open APF and edit the firewall configuration.
First lets make a backup to be safe:
cp /etc/apf/firewall /etc/apf/firewall.bak

vi /etc/apf/firewall

Find the following: DROP_LOG

You should see this: P.S. USE OUR PRINTER FRIENDLY VERSION TO AVOID TEXT WRAPPING, LINK AT TOP!

if [ “$DROP_LOG” == “1” ]; then
# Default TCP/UDP INPUT log chain
$IPT -A INPUT -p tcp -m limit –limit $LRATE/minute -i $IF -j LOG –log-prefix “** IN_TCP DROP ** ”
$IPT -A INPUT -p udp -m limit –limit $LRATE/minute -i $IF -j LOG –log-prefix “** IN_UDP DROP ** ”

Replace with the following:

if [ “$DROP_LOG” == “1” ]; then
# Default TCP/UDP INPUT log chain
$IPT -A INPUT -p tcp -m limit –limit $LRATE/minute -i $IF -j LOG –log-level debug
$IPT -A INPUT -p udp -m limit –limit $LRATE/minute -i $IF -j LOG –log-level debug

Find the following one more time: DROP_LOG

You should see this:

if [ “$DROP_LOG” == “1” ] && [ “$EGF” == “1” ]; then
# Default TCP/UDP OUTPUT log chain
$IPT -A OUTPUT -p tcp -m limit –limit $LRATE/minute -o $IF -j LOG –log-prefix “** OUT_TCP DROP ** ”
$IPT -A OUTPUT -p udp -m limit –limit $LRATE/minute -o $IF -j LOG –log-prefix “** OUT_UDP DROP ** ”

Replace with the following:

if [ “$DROP_LOG” == “1” ] && [ “$EGF” == “1” ]; then
# Default TCP/UDP OUTPUT log chain
$IPT -A OUTPUT -p tcp -m limit –limit $LRATE/minute -o $IF -j LOG –log-level debug
$IPT -A OUTPUT -p udp -m limit –limit $LRATE/minute -o $IF -j LOG –log-level debug
8) Save the changes to firewall.
Ctrl + X then Y

9) Restart apf for the changes to take effect.

apf –r

10) Make sure the new log file is getting written to:
tail –f /var/log/customlog

You should see things like:

Aug 27 15:48:31 fox kernel: IN=eth0 OUT= MAC=00:0d:61:37:76:84:00:d0:02:06:08:00:08:00 SRC=192.168.1.1 DST=192.168.1.1 LEN=34 TOS=0×00 PREC=0×00 TTL=118 ID=57369 PROTO=UDP SPT=4593 DPT=28000 LEN=14

Also check the messages log to make sure APF still isn’t writing to it.

tail –f /var/log/messages