Examples of 'dpkg --get-selection > packagesinstalled.txt' for firewall

Bob Edwards Robert.Edwards at anu.edu.au
Fri Nov 29 00:09:55 EST 2002

Matthew Hawkins wrote:
> Bob Edwards (Robert.Edwards at anu.edu.au) wrote:
>>We always log from our firewalls to dedicated log hosts located on the 
>>inside network.
> When I pointed this out to Alex, his argument was that should the
> internal log host die or be unavailable for a period of time, you lose
> your logs.
> What I didn't think of at the time (since I was only half-interested ;)
> is the fact that should the logs be kept on the firewall, and the
> firewall dies, you lose your logs anyway!

Seems to me that it would be a lot easier to keep a log host alive in a nice 
protected environment behind the firewall etc. than it would be to keep the 
firewall itself alive, exposed as it is to the vagaries of the outside world.

I guess that if you are more interested in logs than firewalling, then you may 
want your firewall machine to die (and stop routing packets) when its log 
files become full. In our environment, we prefer to keep packet filtering than 
logging, so should the log host ever stop logging for whatever reason, the 
firewall will still keep on packet filtering.

So, I guess there is a challenge. Swamp our firewall machine with packets to 
completely fill up the log host, then, when you are sure our log host has been 
DOS'd, launch your attack in the safe knowledge that we won't have records to 
track you down :-) A word of warning - I don't think our log host has ever 
gone over 50% disk usage.

> The other counter-argument which also springs to mind is the fact that
> Alex doesn't read the log files anyway, so what should he care where
> they are? ;)
> I also believe that some versions of syslog will buffer log messages if
> the remote logging host is unavailable.

Syslog, as I understand it, runs over UDP and so won't buffer anything as it 
isn't connection oriented. Some of our more critical servers log to both the 
log host and to files. It is easy enough to see that few, if any, log messages 
ever get lost on their way to the log host. The log host itself is usually a 
slow old machine, it doesn't do anything except log messages and rotate the 
logs (daily). It certainly doesn't accept logins from mortals.


Bob Edwards.

More information about the linux mailing list