Firewall Monitor allows you to monitor ipchains/iptables output in realtime. It supports both logging to a file/stdout and/or to tcpdump format capture logs. It also supports security features such as running non-root, and chrooting itself.
Fwmon can easily be integrated into an existing ipchains ruleset. As an example, fwmon can be easily integrated into the excellently commented TrinityOS ruleset available from http://www.ecst.csuchico.edu/~dranch/LINUX. The enhanced logging may be selectively added to specific existing rules by adding a new user-defined rule to the default ACCEPT, REJECT and DENY rules..This program has been known in the past as "Firestorm Firewall Monitor", however it shares nothing with firestorm.
If you wish to retain current ipchains logging features which RedHat and TurboLinux among other distributions make to /var/log/messages and add the additional features of fwmon, keep the '-l' option (or the $LOGGING equivalent used in TrinityOS) for those rules of interest. Fwmon data will be placed in a separate file (user-configurable) via a new target of those rules for which the capability is desired. Note that this new rule will not contain the '-l' (or $LOGGING) flag so packets trapped by a primary rule are not logged twice by ipchains. Additionally, by retaining the ipchains logging in primary rules, the rule number that caused the logging is contained in the ipchains log entries, and not the rule number of the new chain.
As a guide for adding this new chain, the TrinityOS rule set begins with setting of various parameters used with firewalls (flag settinga in the /proc directory, loading of modules, etc) then rules are grouped in INPUT, OUTPUT and FORWARD sections. Since this new rule will be a 'target' of other rules, it must be placed BEFORE the first rule which references it to avoid errors the first time the ruleset is loaded. We suggest that a new
section defining the rule be placed just before the INPUT rules section and consist of:
What's New in This Release:
· Fixed logrotate problems with libpcap files. There is still a race condition but under normal circumstances you shouldn't encounter it, I'll think about fixing it all the same.