Is anyone using 'firestarter'? - Do you ever see events?

jackmetal · 2005-08-05 17:05:35

I was just wondering if anyone else out there using firestarter has ever seen anything display under the Events tab?

I was guessing that it should show any blocked events, but nothing ever shows up there on mine. Even though I 'know' some events have been blocked. For example: I tried to ftp or telnet, etc.. to it from another system and it was blocked (I could see it in the iptables.log), but it never showed up under the events tab of firestarter...

It logs my device activity and connections on the first tab (Status) fine.

Things that make you go, Hmmmmmmmm.

mezoko · 2005-08-05 17:16:49

I use firestarter and it appears I never get anything under events

cactus · 2005-08-05 17:34:46

I use it on my ubuntu box at work, and it works fine. I get reports on events all the time. Lots of icmp traffic.

I don't use it on my home arch box. I just do manual iptables rules there.
heh. At work I am lazy.

jackmetal · 2005-08-05 18:02:01

I wonder: are you in Gnome @ work? I'm in fluxbox, I'll have to try it under Gnome when I get back home.
Darn, typing on my treo is painful!

cactus · 2005-08-05 18:05:25

jackmetal wrote:

I wonder: are you in Gnome @ work?

I am indeed.

jackmetal · 2005-08-06 12:31:58

Hmmmmm. Well after numerous weather delays, I finally made it home last night. I tested firestarter in Gnome and I'm still not getting events being logged.

I can tail my iptables log file and see it, but nothing ever shows up under the events tab in firestarter...DangIt!

Oh well....So much for being lazy and using firestarter, I'll just go back to my iptables. Although I would like some of the functionality it offers. I played with kmyfirewall, and didn't really care for it.

Do you know of any tools that run in the tray like firestarter and give the ability to view blocked events, add/edit rules etc..?

cactus · 2005-08-06 15:45:10

unfortunately, no--i do not know of any such tools offhand. :cry:

idaho45 · 2005-08-07 02:39:59

By default firestarter search log events in /var/log/messages, but since some time ago Arch log iptables entries in various log files (the most obvious is /var/log/iptables), but not in /var/log/messages.

The solution is to configurate firestarter so it look in /var/log/iptables.

This thread in the firestarter mailing list give the solution: http://sourceforge.net/mailarchive/foru … um_id=6322

The thread suggest you can do one of two things:

1.- ... from the command line use this: gconftool-2 --set --type string /apps/firestarter/client/system_log
/path/to/the/new/file

2.- You can use gconf-editor (as root) and edit the same string as in 1.-

I have used the option 2 and it worked perfectly.

Not sure but I think the pkgbuild can be updated so it have the option 1 added. Maybe one bug report in the bug tracker?

murkus · 2005-08-07 09:04:40

idaho45 wrote:

By default firestarter search log events in /var/log/messages, but since some time ago Arch log iptables entries in various log files (the most obvious is /var/log/iptables), but not in /var/log/messages.

The solution is to configurate firestarter so it look in /var/log/iptables.

It indeed worked. Thanks for the info!

.murkus

sullivanva · 2005-08-08 00:56:44

Which logfile?

I have no /var/log/iptables, but I have /var/log/lptables.log, and /var/log/iptables.log.1.

I tried:

gconftool-2 --set --type string /apps/firestarter/client/system_log /var/log/iptables.log

I still can't get anything to report in the events. I tried ssh, and even nessus, but it seems to block them so well, that it doesn't even bother to report the attempts.

wickedlester · 2005-08-08 01:19:05

I have mine set to read /var/log/messages.log because I use syslog-ng and it adds .log extention to var/log/*

idaho45 · 2005-08-08 03:08:17

Sorry, i forgot the .log extension. The logfiles are /var/log/messages.log and /var/log/iptables.log

Sullivanva, not sure about the gconftool-2 command, because i used gconf-editor to change the string. I think you can use gconf-editor to check if the gconftool-2 command really worked and changed the value of the string apps/firestarter/client/system_log to var/log/iptables.log

If the value is correct try restarting firestarter.

Wickedlester, i remember some time ago the iptables events was logged in messages.log, but i think because some upgrade they stopped being logged in messages.log
My system is up to date, so i wonder why you have iptables events logged in messages.log?
Maybe different versions of syslog-ng? my version is 1.6.8-1.

Also, as a side effect, and not knowing why, the events window is not being updated in real time, so you must use the reload button each time you want to see the most recent events.

wickedlester · 2005-08-08 03:19:20

my syslog-ng version is 1.6.8-1. I did a pacman -Syu yesturday eve. firestarter version is 1.0.3-2. Also my events update constantly without having to refresh.

sullivanva · 2005-08-08 03:32:39

Well, I don't recommend this for everyone, but I found a neato way to generate events in firestarter.

# 1 - Login to an irc channel, and just start issuing commands like a newbie. I tried "dir, ls, and help".

# 2 - Wait a few seconds while they make fun of you, and then try some more. That makes them mad.

# 3 - If you're lucky, then they just disconnect you, and don't ban you. Then they start firing salvos at you. My firestarter lit up like a Xmas tree.

jackmetal · 2005-08-08 10:57:44

sullivanva wrote:

# 3 - If you're lucky, then they just disconnect you, and don't ban you. Then they start firing salvos at you. My firestarter lit up like a Xmas tree.

I needed that on a Monday morning...

jackmetal · 2005-08-08 10:59:11

idaho45 wrote:

1.- ... from the command line use this: gconftool-2 --set --type string /apps/firestarter/client/system_log
/path/to/the/new/file

2.- You can use gconf-editor (as root) and edit the same string as in 1.-

Excellent! Thanks idaho45, I now have my Event logging. :-)

murkus · 2005-08-08 14:00:06

sullivanva wrote:

Which logfile?
I have no /var/log/iptables, but I have /var/log/lptables.log, and /var/log/iptables.log.1.
I tried:
gconftool-2 --set --type string /apps/firestarter/client/system_log /var/log/iptables.log
I still can't get anything to report in the events. I tried ssh, and even nessus, but it seems to block them so well, that it doesn't even bother to report the attempts.

Try:

gconftool-2 --set --type string /apps/firestarter/client/system_log /var/log/iptables.log

That worked for me.

cheers,
.murkus

Arch Linux

#1 2005-08-05 17:05:35

Is anyone using 'firestarter'? - Do you ever see events?

#2 2005-08-05 17:16:49

Re: Is anyone using 'firestarter'? - Do you ever see events?

#3 2005-08-05 17:34:46

Re: Is anyone using 'firestarter'? - Do you ever see events?

#4 2005-08-05 18:02:01

Re: Is anyone using 'firestarter'? - Do you ever see events?

#5 2005-08-05 18:05:25

Re: Is anyone using 'firestarter'? - Do you ever see events?

#6 2005-08-06 12:31:58

Re: Is anyone using 'firestarter'? - Do you ever see events?

#7 2005-08-06 15:45:10

Re: Is anyone using 'firestarter'? - Do you ever see events?

#8 2005-08-07 02:39:59

Re: Is anyone using 'firestarter'? - Do you ever see events?

#9 2005-08-07 09:04:40

Re: Is anyone using 'firestarter'? - Do you ever see events?

#10 2005-08-08 00:56:44

Re: Is anyone using 'firestarter'? - Do you ever see events?

#11 2005-08-08 01:19:05

Re: Is anyone using 'firestarter'? - Do you ever see events?

#12 2005-08-08 03:08:17

Re: Is anyone using 'firestarter'? - Do you ever see events?

#13 2005-08-08 03:19:20

Re: Is anyone using 'firestarter'? - Do you ever see events?

#14 2005-08-08 03:32:39

Re: Is anyone using 'firestarter'? - Do you ever see events?

#15 2005-08-08 10:57:44

Re: Is anyone using 'firestarter'? - Do you ever see events?

#16 2005-08-08 10:59:11

Re: Is anyone using 'firestarter'? - Do you ever see events?

#17 2005-08-08 14:00:06

Re: Is anyone using 'firestarter'? - Do you ever see events?

Board footer