An easy way to do this is to use the action "log" on the term..
user@olive-core> show configuration firewall
filter ACCESS-CNTRL {
term TELNET-BLOCK {
from {
destination-port telnet;
}
then {
count COUNTER-TELNET-BLOCK;
log;
discard;
}
}
term PERMIT-ALL {
from {
source-address {
0.0.0.0/0;
}
}
then {
count COUNTER-PERMIT-ALL;
accept;
}
}
}
To see the log..(And there must be hits against the term to see the kind of output below)
user@olive-core> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
18:28:02 ACCESS-CNTRL D em0.0 TCP 192.168.0.11 192.168.0.100
user@olive-core> show firewall log detail
Time of Log: 2012-01-13 18:28:02 EST, Filter: ACCESS-CNTRL, Filter action: discard, Name of interface: em0.0
Name of protocol: TCP, Packet Length: 49245, Source address: 192.168.0.11:53159, Destination address: 192.168.0.100:23
So a couple of ways to see the log hits there. Shows us the interface involved, time of the event and the IP src an dst. Great!
The thing is though, this outout is not persistant between reboots. For that we need the "syslog" action..
user@olive-core> show configuration firewall
filter ACCESS-CNTRL {
term TELNET-BLOCK {
from {
destination-port telnet;
}
then {
count COUNTER-TELNET-BLOCK;
log;
syslog;
discard;
}
}
term PERMIT-ALL {
from {
source-address {
0.0.0.0/0;
}
}
then {
count COUNTER-PERMIT-ALL;
accept;
}
The firewall logs dont appear to show up in the messages log by default so you need to define a log for the Firewall facility. I have selected the severity-level "any" but you could select any of the below levels depending on the level of the specific messages you want to log.
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file FIREWALL-LOG {
firewall any; }
}
To see the logs..
user@olive-core> show log FIREWALL-LOG
Jan 15 20:19:04 olive-core /kernel: FW: em0.0 D tcp 192.168.0.11 192.168.0.100 53403 23
Jan 15 20:19:07 olive-core /kernel: FW: em0.0 D tcp 192.168.0.11 192.168.0.100 53403 23
user@olive-core>
You can run the "log" action at the same time as "syslog" on the filter term though there is little point as they give almost the identical info. Below is the same hit viewed both ways..
user@olive-core> show log FIREWALL-LOG
Jan 16 18:17:10 olive-core /kernel: FW: em0.0 D tcp 192.168.0.11 192.168.0.100 51100 23
user@olive-core> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
18:17:10 ACCESS-CNTRL D em0.0 TCP 192.168.0.11 192.168.0.100
You can control the actual log file through the archive command. These parameters can be set for all syslogs or individually on each log depending on heirachy level you apply the archive commands.
user@olive-core# set system syslog file FIREWALL-LOG archive ?
Possible completions:
<[Enter]> Execute this command
> archive-sites
files Number of files to be archived (1..1000)
no-world-readable Don't allow any user to read the log file
size Size of files to be archived (65536..1073741824 bytes)
start-time Start time for file transmission (yyyy-mm-dd.hh:mm)
transfer-interval Frequency at which to transfer files to archive sites (5..2880 minutes)
world-readable Allow any user to read the log file
| Pipe through a command
[edit]
user@olive-core#
Naturally with syslog you will probably want to send it off to a central syslog collector. For this you configure the "host" option under syslog. Here we are using the remote syslog to log only for the Firewall facility with a certain log prefix. Also note the local log on the olive has been limited to a max of 2 archive files.
syslog {
user * {
any emergency;
}
host 192.168.56.40 {
firewall any;
log-prefix "the_olive!";
source-address 192.168.56.100;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file FIREWALL-LOG {
firewall any;
archive files 2;
}
}
Below is a screenshot of the syslog message after arriving in the remote syslog. In this case Zenoss (Running in VirtualBox)
Model: olive
JUNOS Base OS Software Suite [10.1R1.8]
No comments:
New comments are not allowed.