diff --git a/config/networks/dmz.nft b/config/networks/dmz.nft index 9b242d1..2fad530 100644 --- a/config/networks/dmz.nft +++ b/config/networks/dmz.nft @@ -34,7 +34,7 @@ table inet firewall { ip daddr @dmz_whitelist_web tcp dport {http, https} accept ip daddr . tcp dport @dmz_whitelist_tcp accept ip daddr . udp dport @dmz_whitelist_udp accept - counter log prefix "Invalid access to dmz:" drop + counter log group 1 prefix "Invalid access to dmz:" drop } chain from_dmz { diff --git a/config/networks/nerim.nft b/config/networks/nerim.nft index 1193007..d34cb7b 100644 --- a/config/networks/nerim.nft +++ b/config/networks/nerim.nft @@ -31,6 +31,6 @@ table inet firewall { } chain snat_nerim { - log prefix "masquerade:" masquerade + log group 1 prefix "masquerade:" masquerade } } diff --git a/nftables.conf b/nftables.conf index 328b97e..30b4002 100644 --- a/nftables.conf +++ b/nftables.conf @@ -97,7 +97,7 @@ table inet firewall { $if_nerim: jump from_nerim } - counter log prefix "Uncaught traffic:" + counter log group 1 prefix "Uncaught traffic:" } chain source_nat { @@ -116,6 +116,8 @@ table inet firewall { chain input { type filter hook input priority 0 policy drop + ct state established,related accept + ct state invalid drop meta iif $admin_if accept } } diff --git a/ulogd.conf b/ulogd.conf new file mode 100644 index 0000000..549fa4c --- /dev/null +++ b/ulogd.conf @@ -0,0 +1,101 @@ +# Tutorial: +# https://connect.ed-diamond.com/GNU-Linux-Magazine/glmfhs-041/ulogd2-journalisation-avancee-avec-netfilter + +[global] +###################################################################### +# GLOBAL OPTIONS +###################################################################### + + +# logfile for status messages +logfile="syslog" + +# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5) +loglevel=3 + +###################################################################### +# PLUGIN OPTIONS +###################################################################### + +# We have to configure and load all the plugins we want to use + +# general rules: +# +# 0. don't specify any plugin for ulogd to load them all +# 1. load the plugins _first_ from the global section +# 2. options for each plugin in seperate section below + +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so" + +# this is a stack for logging packet send by system via LOGEMU +stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# Packet logging +stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,print1:PRINTPKT,json1:JSON + +# Logging of system packet through NFLOG +[log1] +# netlink multicast group (the same as the iptables --nflog-group param) +# Group O is used by the kernel to log connection tracking invalid message +group=0 +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +# set number of packet to queue inside kernel +#netlink_qthreshold=1 +# set the delay before flushing packet in the queue inside kernel (in 10ms) +#netlink_qtimeout=100 + +# packet logging through NFLOG for group 1 +[log2] +# netlink multicast group (the same as the iptables --nflog-group param) +group=1 # Group has to be different from the one use in log1 +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +# If your kernel is older than 2.6.29 and if a NFLOG input plugin with +# group 0 is not used by any stack, you need to have at least one NFLOG +# input plugin with bind set to 1. If you don't do that you may not +# receive any message from the kernel. +#bind=1 + +[emu1] +file="/var/log/ulog/syslogemu.log" +sync=1 + +[json1] +sync=1 +#file="/var/log/ulog/ulogd.json" +#timestamp=0 +# device name to be used in JSON message +#device="My awesome Netfilter firewall" +# If boolean_label is set to 1 then the numeric_label put on packet +# by the input plugin is coding the action on packet: if 0, then +# packet has been blocked and if non null it has been accepted. +#boolean_label=1 +# Uncomment the following line to use JSON v1 event format that +# can provide better compatility with some JSON file reader. +#eventv1=1