Examples of 'dpkg --get-selection > packagesinstalled.txt' for
firewall
Bob Edwards
Robert.Edwards at anu.edu.au
Fri Nov 29 00:09:55 EST 2002
Matthew Hawkins wrote:
> Bob Edwards (Robert.Edwards at anu.edu.au) wrote:
>
>>We always log from our firewalls to dedicated log hosts located on the
>>inside network.
>
>
> When I pointed this out to Alex, his argument was that should the
> internal log host die or be unavailable for a period of time, you lose
> your logs.
>
> What I didn't think of at the time (since I was only half-interested ;)
> is the fact that should the logs be kept on the firewall, and the
> firewall dies, you lose your logs anyway!
>
Seems to me that it would be a lot easier to keep a log host alive in a nice
protected environment behind the firewall etc. than it would be to keep the
firewall itself alive, exposed as it is to the vagaries of the outside world.
I guess that if you are more interested in logs than firewalling, then you may
want your firewall machine to die (and stop routing packets) when its log
files become full. In our environment, we prefer to keep packet filtering than
logging, so should the log host ever stop logging for whatever reason, the
firewall will still keep on packet filtering.
So, I guess there is a challenge. Swamp our firewall machine with packets to
completely fill up the log host, then, when you are sure our log host has been
DOS'd, launch your attack in the safe knowledge that we won't have records to
track you down :-) A word of warning - I don't think our log host has ever
gone over 50% disk usage.
> The other counter-argument which also springs to mind is the fact that
> Alex doesn't read the log files anyway, so what should he care where
> they are? ;)
>
> I also believe that some versions of syslog will buffer log messages if
> the remote logging host is unavailable.
>
Syslog, as I understand it, runs over UDP and so won't buffer anything as it
isn't connection oriented. Some of our more critical servers log to both the
log host and to files. It is easy enough to see that few, if any, log messages
ever get lost on their way to the log host. The log host itself is usually a
slow old machine, it doesn't do anything except log messages and rotate the
logs (daily). It certainly doesn't accept logins from mortals.
Cheers,
Bob Edwards.
More information about the linux
mailing list