The Logging Tab

The Logging tab holds many options for controlling what events are logged and how they are logged.

The Log blocked packets checkbox controls whether packets that are blocked by Guarddog are logged in the system log. A packet that is not part of a permitted protocol is by blocked by default. When this checkbox is ticked, blocked packets are logged.

The Log rejected packets checkbox controls whether packets that are rejected by Guarddog are logged in the system log. Protocols are marked to be rejected on the Protocol tab by putting a cross in their checkbox. When this checkbox is ticked, any rejected packets are logged.

The Log aborted TCP connections (half open scans) check box controls whether TCP connections that are forcefully terminated using a RST packet are logged. A port scanning technique know as "half-open" scanning uses RST packets to quickly abort an half open TCP connection in order to avoid detection. This can be done using nmap's -sS option. By turning this option on you can detect and log when this happens. Unfortunately many web servers like to quickly terminate connections by using a RST packet. This can produce quite a lot of unwanted noise in your system logs. Therefore you may want to turn this option off. Also, this option only has effect when the firewall is used on a Linux kernel 2.4 machine in combination with iptables.

Tip

Packet logs are received by the syslog. Consult the syslog manual page for more information.

Rate Limiting

This group of options allows you to specify how Guarddog should limit the rate at which messages are placed in the system log. Rate Limited logging is intended to stop someone from performing a Denial of Service attack against your machine by flooding it with packets and trying to fill your system log files and disk space.

The Rate limit logging checkbox controls whether packet logging should be rate limited or not. It is recommended that this be left on.

The Rate widget allows you to specify the maximum average rate that packet log entries may be added to the system log. The rate may be specified in terms of the number of entries per second, minute, hour or day.

The Rate widget allows you to specify the average maximum logging rate. Packets to be logged often come in bursts of many packets in very quick succession. The Burst widget allows you to specify how many packets in a burst may be logged. Once the burst limit has been reached, the average logging rate is enforced.

Tip

For more information on exactly how this works, consult the iptables documentation and the Linux kernel source /net/ipv4/netfilter/ipt_limit.c file.

The Warn when limiting check box controls whether Guarddog should put warning messages in the system log when it has been forced to apply rate limiting to the packet log messages. When rate limiting is applied to packet log messages, only a limited number of messages appear in the log, while the rest are omitted. When you come to view the system log, it useful to know if packet log messages have been omitted due to rate limiting.

The Warning rate widget allows you to specify how often warning messages should be placed in the system log when rate limiting is being used.

Tip

The warning messages in the system log have the word LIMITED at the start of the line.

Logging Options

The Log IP Options checkbox controls whether the options field in the IP header of a packet should be included in a packet log message.

The Log TCP Options checkbox controls whether the options field in the TCP header of a packet should be included in a packet log message.

The Log TCP sequence numbers checkbox controls whether the TCP sequence number for a packet should be included in a packet log message.

The Logging Priority selector specifies the logging priority used when sending log messages to the system log. See the documentation for syslog.conf for more information.