You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by Len Bellemore <Le...@ControlCircle.com> on 2013/07/05 10:57:46 UTC

Virtual Router Firewall Logs

Hi Guys,

Does anyone know where the virtual router logs firewall access requests?  I guess it would be an iptables log of some sort.

I don't see much in /var/log/messages other than rules being applied.

Many Thanks

Len

________________________________
IMPORTANT NOTICE. This electronic message contains information from Control Circle Ltd, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately. Activity and use of the ControlCircle e-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes

RE: Virtual Router Firewall Logs

Posted by Jayapal Reddy Uradi <ja...@citrix.com>.

Currently firewall access on VR is not logged.
You can raise feature request for adding log option for ingress/egress firewall rules.
While adding firewall rules user  can have option enableLog/disableLog. By default logs will be disabled.

Thanks,
Jayapal


> -----Original Message-----
> From: David Comerford [mailto:davestyle@gmail.com]
> Sent: Friday, 5 July 2013 9:52 PM
> To: users@cloudstack.apache.org; aemneina@gmail.com
> Subject: Re: Virtual Router Firewall Logs
> 
> You could SSH into each virtual router and append some logging rules into the
> existing chains. The rules go into the mangle table.
> 
> If you wanted to log all drops then you could go for something like this.
> #* iptables -I FIREWALL_10.144.100.109 3 -t mangle -j LOG*
> 
> I put this in line 3 of my FIREWALL_10.144.100.109 chain, just above the DROP
> so it looks something like:
> *# iptables -n -v --line-numbers -t mangle -L FIREWALL_10.144.100.109 Chain
> FIREWALL_10.144.100.109 (1 references)
> num   pkts bytes target     prot opt in     out     source
> destination
> 1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           state RELATED,ESTABLISHED
> 2        0     0 RETURN     tcp  --  *      *       2.2.2.2
> 0.0.0.0/0           tcp dpt:69
> 3        2   120 LOG        all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 4
> 4        2   120 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
> *
> Now here's the problems with doing this....
> 1. The logging rules are blown away if anyone adds OR removes any firewall
> rules.
> 2. You will lose the rules if the router is ever re-created for upgrades etc.
> 
> So all in all it might not be worth the effort.
> It is a feature people do ask about quite a bit though so could be worth a
> feature request.
> 
> Best regards,
> David Comerford
> Mobile: +353 87 1238295
> Email: davestyle@gmail.com
> Website: http://dave.ie
> GPG key: http://pgp.dave.ie
> 
> 
> On 5 July 2013 10:43, Ahmad Emneina <ae...@gmail.com> wrote:
> 
> > you might have to enable that manually on the router, via iptables or
> > rsyslog, i dont see it being logged myself.
> >
> >
> > On Fri, Jul 5, 2013 at 1:57 AM, Len Bellemore <
> > Len.Bellemore@controlcircle.com> wrote:
> >
> > > Hi Guys,
> > >
> > > Does anyone know where the virtual router logs firewall access requests?
> > >  I guess it would be an iptables log of some sort.
> > >
> > > I don't see much in /var/log/messages other than rules being applied.
> > >
> > > Many Thanks
> > >
> > > Len
> > >
> > > ________________________________
> > > IMPORTANT NOTICE. This electronic message contains information from
> > > Control Circle Ltd, which may be privileged or confidential. The
> > > information is intended for use only by the individual(s) or entity
> > > named above. If you are not the intended recipient, be aware that
> > > any
> > disclosure,
> > > copying, distribution or use of the contents of this information is
> > > strictly prohibited. If you have received this electronic message in
> > error,
> > > please notify me by telephone or email (to the number or email
> > > address
> > > above) immediately. Activity and use of the ControlCircle e-mail
> > > system
> > is
> > > monitored to secure its effective operation and for other lawful
> > > business purposes. Communications using this system will also be
> > > monitored and may be recorded to secure effective operation and for
> > > other lawful business purposes
> > >
> >

Re: Virtual Router Firewall Logs

Posted by David Comerford <da...@gmail.com>.

You could SSH into each virtual router and append some logging rules into
the existing chains. The rules go into the mangle table.

If you wanted to log all drops then you could go for something like this.
#* iptables -I FIREWALL_10.144.100.109 3 -t mangle -j LOG*

I put this in line 3 of my FIREWALL_10.144.100.109 chain, just above the
DROP so it looks something like:
*# iptables -n -v --line-numbers -t mangle -L FIREWALL_10.144.100.109
Chain FIREWALL_10.144.100.109 (1 references)
num   pkts bytes target     prot opt in     out     source
destination
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
2        0     0 RETURN     tcp  --  *      *       2.2.2.2
0.0.0.0/0           tcp dpt:69
3        2   120 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4
4        2   120 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0
*
Now here's the problems with doing this....
1. The logging rules are blown away if anyone adds OR removes any firewall
rules.
2. You will lose the rules if the router is ever re-created for upgrades
etc.

So all in all it might not be worth the effort.
It is a feature people do ask about quite a bit though so could be worth a
feature request.

Best regards,
David Comerford
Mobile: +353 87 1238295
Email: davestyle@gmail.com
Website: http://dave.ie
GPG key: http://pgp.dave.ie


On 5 July 2013 10:43, Ahmad Emneina <ae...@gmail.com> wrote:

> you might have to enable that manually on the router, via iptables or
> rsyslog, i dont see it being logged myself.
>
>
> On Fri, Jul 5, 2013 at 1:57 AM, Len Bellemore <
> Len.Bellemore@controlcircle.com> wrote:
>
> > Hi Guys,
> >
> > Does anyone know where the virtual router logs firewall access requests?
> >  I guess it would be an iptables log of some sort.
> >
> > I don't see much in /var/log/messages other than rules being applied.
> >
> > Many Thanks
> >
> > Len
> >
> > ________________________________
> > IMPORTANT NOTICE. This electronic message contains information from
> > Control Circle Ltd, which may be privileged or confidential. The
> > information is intended for use only by the individual(s) or entity named
> > above. If you are not the intended recipient, be aware that any
> disclosure,
> > copying, distribution or use of the contents of this information is
> > strictly prohibited. If you have received this electronic message in
> error,
> > please notify me by telephone or email (to the number or email address
> > above) immediately. Activity and use of the ControlCircle e-mail system
> is
> > monitored to secure its effective operation and for other lawful business
> > purposes. Communications using this system will also be monitored and may
> > be recorded to secure effective operation and for other lawful business
> > purposes
> >
>

Re: Virtual Router Firewall Logs

Posted by Ahmad Emneina <ae...@gmail.com>.

you might have to enable that manually on the router, via iptables or
rsyslog, i dont see it being logged myself.


On Fri, Jul 5, 2013 at 1:57 AM, Len Bellemore <
Len.Bellemore@controlcircle.com> wrote:

> Hi Guys,
>
> Does anyone know where the virtual router logs firewall access requests?
>  I guess it would be an iptables log of some sort.
>
> I don't see much in /var/log/messages other than rules being applied.
>
> Many Thanks
>
> Len
>
> ________________________________
> IMPORTANT NOTICE. This electronic message contains information from
> Control Circle Ltd, which may be privileged or confidential. The
> information is intended for use only by the individual(s) or entity named
> above. If you are not the intended recipient, be aware that any disclosure,
> copying, distribution or use of the contents of this information is
> strictly prohibited. If you have received this electronic message in error,
> please notify me by telephone or email (to the number or email address
> above) immediately. Activity and use of the ControlCircle e-mail system is
> monitored to secure its effective operation and for other lawful business
> purposes. Communications using this system will also be monitored and may
> be recorded to secure effective operation and for other lawful business
> purposes
>