Re: FUT - Change IPtables rules based on log messages

This looks interesting, so I've installed it on my dev machine. A number of points occur to me:

1) Although the default config file specifies:

# initialize fut_drop to default action of log and drop
init_fut_drop   :   1
[download]

... this doesn't cause the creation of the relevant DROP and LOG rules in the fut-drop-log chain.

Changing the initial declaration of $default_drop in the code, to set it to 1 instead of leaving it undef, fixed that:

my $default_drop = 1; # use our drop or one speced by user

(2) Each invocation of the code (even without the above change) causes an additional RETURN rule to be appended to the fut chain.

(3) Having futzed (no pun intended) about with the ssh pattern in deep_match in the config (to cope with my installation), I've successfully blocked on invalid username login attempts. However, despite the spurn_time being left at default (1800s), the block does not appear to time out.

(4) FUT's logging of its SKIP messages via syslog (including the whole log line that it has just failed to perform a deep_match on), coupled with the quick_match scanning, triggers a loop. The loop continues until the length of the repeatedly prepended SKIP messages exceeds the syslog line length and the string that quick_match originally spotted disappears off the end eg:

(Update: lines of syslog output snipped - it was my syslog.conf at fault here)

Hope this is useful feedback.

Update: This is based on using FUT with Perl 5.8.1 on an old RedHat 7.3 system

Comment on Re: FUT - Change IPtables rules based on log messages Select or Download Code

Replies are listed 'Best First'.
Re^2: FUT - Change IPtables rules based on log messages by mikeraz (Friar) on Mar 29, 2006 at 15:09 UTC
With respect to issue #4, the ever growing syslog message, how is your syslog.conf? FUT doesn't log to the mail, kern, or daemon facilities. So it's skip message should not show up in your input stream. Issue #2, the repeated insertion of RETURN rule, was fixed in v.26 WRT a rule not timing out, if you send fut a USR1 signal /tmp/fut.dump is created with a listing of all blocked sites and the time the block expires. What does it show? Be Appropriate && Follow Your Curiosity	[reply]
Re^3: FUT - Change IPtables rules based on log messages by freewheelin (Initiate) on Mar 29, 2006 at 16:10 UTC
WRT syslog - that's my oops, apologies. I've corrected the problem. I've grabbed v26, installed the default config file for it and I'm getting a segfault on the first run. Checking iptables, fut's successfully created the fut chain, but not the fut_drop_log chain. I've tested this both with an empty iptables and with my existing ruleset in place. `kill -USR1 $pid_of_fut` doesn't generate any output in /tmp I'm afraid. Update (Duh!) It'd help if I actually had something blocked, of course. When I do, this is the output: `10.0.1.2 1 22 22 Wed Mar 29 18:12:39 2006`	[reply] [d/l] [select]
Re^4: FUT - Change IPtables rules based on log messages by mikeraz (Friar) on Mar 29, 2006 at 18:27 UTC
WRT syslog - wouldn't hurt for me to have defensive code for the case. WRT segfault ... It'll have to wait until I'm home and can check the code. Hmmm, 6:00am changes, perhaps not the best of ideas. WRT - Janitors, OK to use perlmonks as a support forum? Be Appropriate && Follow Your Curiosity	[reply]
Re^5: FUT - Change IPtables rules based on log messages by freewheelin (Initiate) on Mar 30, 2006 at 12:42 UTC
Re^2: FUT - Change IPtables rules based on log messages by mikeraz (Friar) on Mar 29, 2006 at 05:47 UTC
It is. Thank you. Be Appropriate && Follow Your Curiosity	[reply]