Firewall setup warning

[poperigby]

I'm getting this error message after running sudo psad --fw-analyze

[-] You may just need to add a default logging rule to the
'filter' 'INPUT' chain on haddock. For more information,
see the file "FW_HELP" in the psad sources directory or visit:

http://www.cipherdyne.org/psad/docs/fwconfig.html

I followed the link it gave me and entered these two lines,

# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG

but I'm still getting the error.

[hellresistor]

are you using iptables or ufw ?

[poperigby]

ufw Apr 10, 2020, 8:43 AM by notifications@github.com:

…

are you using iptables or ufw ? — You are receiving this because you authored the thread. Reply to this email directly, > view it on GitHub <#55 (comment)>> , or > unsubscribe <https://github.com/notifications/unsubscribe-auth/AE7GLJDV6ZYBM3KFKRSL3PTRL45CTANCNFSM4MBYZ5VA>> .

[hellresistor]

Try This commands:

sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules
cp --preserve /etc/ufw/before.rules /etc/ufw/before.rules.$(date +"%Y%m%d%H%M%S") 
cp --preserve /etc/ufw/before6.rules /etc/ufw/before6.rules.$(date +"%Y%m%d%H%M%S")
cp --preserve /etc/ufw/after.rules /etc/ufw/after.rules.$(date +"%Y%m%d%H%M%S") 
cp --preserve /etc/ufw/after6.rules /etc/ufw/after6.rules.$(date +"%Y%m%d%H%M%S")
## add this at the end but before the COMMIT line:
# log all traffic so psad can analyze
sed -i '/^COMMIT/i -A INPUT -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A FORWARD -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A INPUT -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/before6.rules
sed -i '/^COMMIT/i -A FORWARD -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/before6.rules
sed -i '/^COMMIT/i -A INPUT -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/after.rules
sed -i '/^COMMIT/i -A FORWARD -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/after.rules
sed -i '/^COMMIT/i -A INPUT -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/after6.rules
sed -i '/^COMMIT/i -A FORWARD -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/after6.rules
ufw reload

;)

[poperigby]

That worked. Thanks!

[kpua]

Try This commands:

sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A ufw-before-output -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT' /etc/ufw/before.rules
cp --preserve /etc/ufw/before.rules /etc/ufw/before.rules.$(date +"%Y%m%d%H%M%S") 
cp --preserve /etc/ufw/before6.rules /etc/ufw/before6.rules.$(date +"%Y%m%d%H%M%S")
cp --preserve /etc/ufw/after.rules /etc/ufw/after.rules.$(date +"%Y%m%d%H%M%S") 
cp --preserve /etc/ufw/after6.rules /etc/ufw/after6.rules.$(date +"%Y%m%d%H%M%S")
## add this at the end but before the COMMIT line:
# log all traffic so psad can analyze
sed -i '/^COMMIT/i -A INPUT -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A FORWARD -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/before.rules
sed -i '/^COMMIT/i -A INPUT -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/before6.rules
sed -i '/^COMMIT/i -A FORWARD -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/before6.rules
sed -i '/^COMMIT/i -A INPUT -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/after.rules
sed -i '/^COMMIT/i -A FORWARD -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/after.rules
sed -i '/^COMMIT/i -A INPUT -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/after6.rules
sed -i '/^COMMIT/i -A FORWARD -j LOG --log-tcp-options --log-prefix "[UFW "' /etc/ufw/after6.rules
ufw reload

;)

Super, Thanks

[slesru]

OK, what is solution if I run jist iptables on ubuntu 23.10?
I already have
-A INPUT -j LOG
-A FORWARD -j LOG

And psad works, only annoying warning on startup.
Why?

[TechMiner-UK]

OK, what is solution if I run jist iptables on ubuntu 23.10? I already have -A INPUT -j LOG -A FORWARD -j LOG

And psad works, only annoying warning on startup. Why?

Same here, I've added those and it still errors out, the only way to not get it to error is to manually enter the following commands:
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

However then the rules don't persist after reloading UFW, I'm 95% sure it's a me issue but for the life of me I can't figure out what is wrong

[hellresistor]

should install iptables-persistent

take a look here: https://linuxconfig.org/how-to-make-iptables-rules-persistent-after-reboot-on-linux

[Fuckingnameless]

[-] You may just need to add a default logging rule to the
'filter' 'INPUT' chain on debian. For more information,
see the file "README" in the psad sources directory or visit: http://www.cipherdyne.org/psad/docs/fwconfig.html

[-] Errors found in firewall config.

how to debug what is causing the error?

[Fuckingnameless]

i have tried everything i could find including this "fix" but still getting these errors

Danger level: [2] (out of 5)

Scanned destinations: 1

           Source: fe80:0000:0000:0000:5ec9:d3ff:febd:5dd3
              DNS: [No reverse dns info available]

      Destination: 2804:07f4:fb80:ee1a:8239:66fc:c942:39f2
              DNS: [No reverse dns info available]

Overall scan start: Thu Apr 18 00:55:32 2024
Total email alerts: 9
Syslog hostname: debian

     Global stats:
                   chain:   interface:  protocol:  packets: 
                   INPUT    enp6s0      icmp6      40       

[+] ICMP6 scan signatures:

Invalid ICMP type "137" chain=INPUT packets=3

[+] Whois Information (source IP):
Unknown AS number or IP network. Please upgrade this program.

[Fuckingnameless]

it was the stupid router pinging all-hosts-group it seems

[slesru]

I think it is better to have config option to suppress this messages, I guess admin knows better what to do.