Firewall log

fery · December 1, 2017, 6:40am

Hi,

I install OpenSuse 42.3 and enable firewall from yast. My question is : How can I see and review firewall log files?

Thank you OpenSuse team for your good linux distribution.

deano_ferrari · December 1, 2017, 9:17am

This can be used to watch the log live…

sudo journalctl -f|grep iptables

Filtering the current boot log for iptables messages…

journalctl -b|grep iptables

deano_ferrari · December 1, 2017, 9:28am

The openSUSE firewall guide is worth reviewing
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html#id42771

From YaST, firewall logging can be configured as follows

Logging Level There are two rules for logging: accepted and not accepted packets. Packets that are not accepted are DROPPED or REJECTED. Select from Log All, Log Only Critical, or Do Not Log Any.

ravas · February 5, 2018, 3:21am

Thanks!

I currently have eth0 set as “No zone assigned”.
Since I’m connected to a home router,
I guess “Internal Zone” would be the appropriate choice?
I’ll probably just go with the disable logging option,
until I understand what those Windows computers
are trying to accomplish with this traffic.

There’s no port shown with DST=
it’s just a generic subnet ip.

deano_ferrari · February 5, 2018, 3:32am

Then by default it is treated as external.

Since I’m connected to a home router,
I guess “Internal Zone” would be the appropriate choice?

If you do that you may as well not have the firewall running. Having said that the router should be doing firewalling from outside. It’s just your other hosts on the LAN that you need to be concerned with (or not).

SuSEfirewall2 has three different zones by default:

EXT - External Zone (ie untrusted, Internet)

INT - Internal Zone (fully trusted, no filtering, LAN)

DMZ - Demilitarized Zone (for servers that should be reachable from the Internet)

https://en.opensuse.org/SuSEfirewall2#Firewall_Zones

tsu2 · February 5, 2018, 4:23pm

With SuSEFW2,
As you describe the default zone configuration is “No zone assigned” and what that means is that any modifications you do are applied to all zones.
Only after you’ve assigned a zone to an interface will you then need to define internal, external and DMZ zones.

If the log entry doesn’t display sufficient information about the mystery packets, probably the next logical step is to capture the packets and display with an app like Wireshark.

From the size and your description of its frequency it’s likely a UDP packet, and my personal guess would be that it’s an ARP. Although shouldn’t be the default nowadays with latest Windows, earlier Windows versions were known to be extremely “chatty” on the network querying for other Hosts on the local network.

HTH and IMO,
TSU