Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Securing network computers from Amazon Firestick [SOLVED]
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Tue Jun 07, 2016 12:44 am    Post subject: Securing network computers from Amazon Firestick [SOLVED] Reply with quote

I have set up iptables to disable login from the Amazon firestick, the two Samsung TV's and the Android Smartphone. I downloaded VLC onto the Firestick and I note that it can look all over my computer, not just the files served by DLNA (minidlna-1.1.5-r1).

How can I set iptables so that the Firestick's IP address (and the TVs) can only access through the DLNA ports?

I'm kind of paranoid after reading that samsung was listening to conversations through their voice-operated TV's and I really don't trust Amazon, either.


Last edited by Tony0945 on Sun Jun 12, 2016 3:28 am; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21490

PostPosted: Tue Jun 07, 2016 1:33 am    Post subject: Reply with quote

What protocol(s) is the Firestick VLC using to browse so extensively? It sounds like your first problem is that you are running one or more services that allow anonymous access to everything. Blocking the Firestick is a workaround to prevent it from using those services, but you should instead configure those services not to be so permissive.

Assuming that you have a standard default-drop policy on your firewall (and if you are kind of paranoid, you will :)), then the problem you described should not be happening. The quick fix is to add an ACCEPT rule for the DLNA ports, followed by a DROP rule for any other traffic from that host. However, I think you may need a more complete audit of your firewall rules. Please post the output of iptables-save.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Tue Jun 07, 2016 2:05 am    Post subject: Reply with quote

Code:
X3 tony # iptables-save
# Generated by iptables-save v1.4.21 on Mon Jun  6 21:00:19 2016
*filter
:INPUT ACCEPT [93435648:596403418247]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.0.190/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.191/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.192/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.193/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.194/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.195/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.196/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.197/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.198/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.199/32 -p tcp -m tcp --dport 22 -j DROP
-A INPUT -s 192.168.0.180/32 -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Mon Jun  6 21:00:19 2016


180 is the phone, 190-199 are reserved for TV's, and other devices like the firestick
The real computers are 100 through 109

Per the wiki:
Quote:
Minidlna uses port 1900 udp & 8200 tcp
Back to top
View user's profile Send private message
Syl20
l33t
l33t


Joined: 04 Aug 2005
Posts: 619
Location: France

PostPosted: Tue Jun 07, 2016 12:26 pm    Post subject: Reply with quote

If you want a secure firewall, you should avoid accepting all but what you explicitely denied (black list), to switch to a "forbid all but what you explicitely allowed" mode (white list).
That needs some time to set up, but you won't have to wonder what to block then. :wink:
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Tue Jun 07, 2016 7:56 pm    Post subject: Reply with quote

Syl20,

Shorewall makes it quite easy to "forbid all but what you explicitly allowed".
Its surprising/scary how many things try to phone home without asking.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21490

PostPosted: Wed Jun 08, 2016 1:44 am    Post subject: Reply with quote

As I feared, you need a complete audit. Fortunately, it is very quick. Those rules are completely unsuitable for your stated intentions. As I hinted, and later posters mentioned explicitly, you should be using a default-drop policy with specific rules to permit known good traffic. Currently, you are using a default-allow policy with specific rules to prohibit traffic you have identified as unacceptable. This allows all unacceptable traffic that you have not yet identified to be accepted. Unfortunately, we do not yet have enough information to help you write a good set of rules for a default-drop policy. The core of such a policy is to allow traffic over lo, allow ESTABLISHED traffic, and have a policy of DROP. The policy is then customized by adding rules to permit allowed connections. Until you are proficient with firewall rules, I suggest that you perform any such changes from the machine's console. Linux has no inherent protection against a remote administrator adding rules that promptly ban his traffic.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Wed Jun 08, 2016 5:27 pm    Post subject: Reply with quote

Tony0945,

You can just start with
Hu wrote:
The core of such a policy is to allow traffic over lo, allow ESTABLISHED traffic, and have a policy of DROP.

And log everything that is dropped. Since nothing works now, its easy to spot things trying to get out.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Wed Jun 08, 2016 5:37 pm    Post subject: Reply with quote

Thanks all! Internet was out for most of the day in Illinois yesterday. Supposedly, someone cut a fiber-optic cable. It was strange having no TV, no internet, no e-mail. got a lot of yard work done.

I will follow these suggestions and present another setup for comment. These rules are tricky, almost as hard to decipher as grub2 configs.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Wed Jun 08, 2016 5:56 pm    Post subject: Reply with quote

Tony0945,

Try Shorewall. Its a little simpler that raw iptables.
There is Shorewall6 for IPv6 too.

If you have more than two zones, you need to do some planning before you think about firewall rules.
Work out what is allowed to initiate connections to where and with which services.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3509

PostPosted: Wed Jun 08, 2016 8:11 pm    Post subject: Reply with quote

One other thing you might consider is subsetting your network. My network has had separate DMZ and HomeLAN networks almost from the get-go. I bought a Blue Ray player with streaming, but have not set up its wifi access yet because I don't have wifi on my DMZ. There's no way I'm allowing it to snoop around on my HomeLAN network.

I'm also considering adding a third subnet, perhaps called Spys, and put untrusted appliances there. Then egress filtering can be added as desired.

It's also worth noting that I unthinkingly put my HD-HomeRun Prime on HomeLAN, mostly because it predated the spy-device fears. However at this point moving it to either DMZ or Spy networks would mean pushing a lot of traffic through that route. On the other hand, it might be nice for the Blue Ray player to see the DNLA of the HDHR.

Breaking apart subnets can be easier to firewall than individual hosts.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Thu Jun 09, 2016 5:18 pm    Post subject: Reply with quote

A long time ago, I used to run Smoothwall. Its a firewall network appliance that takes over any PC you care to run the installer on.

About 2011, I consolidated my four home servers into KVMs on a purpose built system. Power savings paid for that more capable box over about 18 months.
Unfortunately. I couldn't get Smoothwall to run in a KVM. I looked at iptables and lost the will to live. Smoothwall had a easy to use GUI, so I had gone soft.
Next up was Shorewall. There is no GUI but the setup is logical. Its easy to set up logging to see why things don't work.

Nasties knocking on the front door are DROPped. They don't even get a reply.
Unknowns trying to phone home are REJECTed. They get an error message and the packets are logged.

I run four zones. Internet, (RED) semi protected (DMZ) protected wired (GREEN) and protected wireless (BLUE). The zone names are from Smoothwall. The only difference between blue and green is that wireless cannot connect to wired. Well, wireless isn't really secure.

My bluray player is wired but its not allowed to phone home until it says it can't play a new bluray disc because the firmware is too old.
Firmware updates are a very occasional treat for it.

I'm trying to add in a couple of VPNs too. The hard bit works, that's the encrypted links. I've not got the hang of the routing yet.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Fri Jun 10, 2016 6:00 am    Post subject: Reply with quote

OK, I altered the suggested script in the Gentoo wiki
Code:
X3 ~ # iptables-save
# Generated by iptables-save v1.4.21 on Fri Jun 10 00:47:06 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6:708]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i 192.168.0.192 -p tcp -m tcp --dport 8200 -j ACCEPT
-A INPUT -i 192.168.0.192 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -i 192.168.0.193 -p tcp -m tcp --dport 8200 -j ACCEPT
-A INPUT -i 192.168.0.193 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -i 192.168.0.192 -j DROP
-A INPUT -i 192.168.0.193 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
COMMIT
# Completed on Fri Jun 10 00:47:06 2016

I'm not sure (i.e. haven't a clue) what the lines with -m conntrack and -m icmp do.
Also, what the heck is that line with -p tcp doing?

I also did do this over the LAN (on the highwire without a net) and it's still connected but is that just because of that conntrack line?

I did see a more detailed RedHat/Centos script, but wasn't sure if it was applicable to Gentoo.

My goal is that on one set of boxes, the sky is the limit. On the second set of boxes, they are restricted to the two DLNA ports. It's nearly 1:00AM and I haven't checked this yet other than I am still connected to the X3 box from 192.168.0.100 Breaking off because I have a quite peeved spouse to deal with. ("Are you still playing with that damn computer!")

P.S. Yesterday I heard TheGoons "#10 Downing Street is missing" on SiriusXM Comedy channel.
Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046

PostPosted: Fri Jun 10, 2016 9:31 am    Post subject: Reply with quote

The "-m conntrack RELATED,ESTABLISHED" parameter (and command) causes iptables to accept all packets from computer relationships, that were initiated by the computer the firewall is running on. This way, the firewall doesn't have to open all the ports for incoming packets, for connections started by that computer.

The "--tcp-flags FIN,SYN,RST,ACK ACK" line is looking for a couple types of malformed network packet, but only for the port (113) that is typically used for the "auth" service. The "auth" service is a primitive identify mechanism used between computers, it isn't related to system login. I run a program called `fakeidentd` to answer calls to that port, and it gives up fake identity information to the requester.

The "-p icmp" lines related to network packets of type ICMP (as opposed to type TCP or type UDP). Type ICMP pakets are called "ping" packets, but that is a little misleading because the "ping" is one of several types of ICMP packet. At any rate, the firewall you have will accept ping (the outside can ping that computer and get a response) and IIRC, types 11 and 12 have to do with traceroute.

Edit to add that the RH/CentOS script will apply to Gentoo. Firewall / iptables configuration is generic across distributions, with variations and commands being applicable on an application by application (or port by port) basis.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Fri Jun 10, 2016 4:23 pm    Post subject: Reply with quote

Thanks for the explanation, cboldt!

I have redone the firewall, but after closing the putty connection I can't open another from either side.
Code:
X3 ~ # iptables-save
# Generated by iptables-save v1.4.21 on Fri Jun 10 10:26:37 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8200 -j ACCEPT
-A INPUT -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -i 192.168.0.192 -j DROP
-A INPUT -i 192.168.0.193 -j DROP
-A INPUT -i 192.168.0.100 -j ACCEPT
-A INPUT -i 192.168.0.102 -j ACCEPT
-A INPUT -i 192.168.0.104 -j ACCEPT
-A INPUT -i 192.168.0.106 -j ACCEPT
-A INPUT -i 192.168.0.108 -j ACCEPT
-A INPUT -i 192.168.0.103 -j ACCEPT
-A INPUT -i 192.168.0.109 -j ACCEPT
COMMIT
# Completed on Fri Jun 10 10:26:37 2016


The annotated script that generated these rules is here: http://dpaste.com/09VZFAF
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Fri Jun 10, 2016 4:43 pm    Post subject: Reply with quote

iptables -L shows the following which is confusing as it seems to ignore source:
Code:
X3 ~ # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere             tcp dpt:auth flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8200
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1900
DROP       all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
LOGGING    all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain LOGGING (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere 
Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046

PostPosted: Fri Jun 10, 2016 8:11 pm    Post subject: Reply with quote

It's ignoring the source IP because iptables needs that to be presented as "-s $IP_ADDRESS", or in long form, "--source $IP_ADDRESS". Don't use $IP_ADDRESS literally, I'm using that to indicate some generic IP Addy.

Code:
-A INPUT -s 192.168.0.192 -j DROP


The "-i" you are using is the interface, which is a hardware name like "etho" or "wlan0" or one of those newfangled names. You can see your interface names by running `route`, which will show Iface in the last column. You'll notice one of your firewall rules is allowing everything on interface "lo," which is TCP/IP traffic that runs purely on one machine.

The reason putty can't get in, is that putty is (probably) trying to access your firewalled computer via port 22. Your firewall rules don't admit packets that are trying to get into port 22. If you have configured your sshd to use a different port (and putty has been informed of the non-standard port to use), the same situation holds true at the firewall, that port is blocked too. The only ports you have open to NEW incoming packets are 1900 and 8200.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Fri Jun 10, 2016 11:35 pm    Post subject: Reply with quote

cboldt wrote:
It's ignoring the source IP because iptables needs that to be presented as "-s $IP_ADDRESS", or in long form, "--source $IP_ADDRESS". Don't use $IP_ADDRESS literally, I'm using that to indicate some generic IP Addy.

Code:
-A INPUT -s 192.168.0.192 -j DROP


Ooops! Changing -i to -s fixed putty and ssh. The interface name is the traditional eth0, BTW.

I could use some guidance on logging dropped packets. This code:
Code:
iptables -N LOGGING
iptables -A INPUT -j LOGGING

iptables -A LOGGING -m limit --limit 2/min -j LOG
iptables -A LOGGING -j DROP

Results in:
Code:
X3 ~ # sh firewallscript
iptables: No chain/target/match by that name.
Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046

PostPosted: Sat Jun 11, 2016 12:07 am    Post subject: Reply with quote

First a new rule that has a logging line (which does NOT dispatch the packet), followed by a line that dispatches the packet.

Code:
iptables -N logdrop
iptables -A logdrop -j LOG --log-prefix DROP:
iptables -A logdrop -j DROP


Then you can use "-j logdrop" to log then drop a packet.

Code:
# This is the last rule in the chain, it logs and drops everything that got through the gauntlet
iptables -A INPUT -m conntrack --ctstate NEW -j logdrop
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sat Jun 11, 2016 12:39 am    Post subject: Reply with quote

Code:
X3 ~ # nano firewallscript
X3 ~ # sh firewallscript
iptables: No chain/target/match by that name.
X3 ~ #


Script is at http://dpaste.com/1XEGE6Z

Maybe I'm missing something in the kernel? config is here: http://dpaste.com/0H4V69T[/quote]
Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046

PostPosted: Sat Jun 11, 2016 12:48 am    Post subject: Reply with quote

I don't see any obvious typo or other error. Stuff in a couple "echo" reports to narrow down where the script is crapping out.

For starters, put in an "echo just before creating logrop" and an "echo after logrop, before last iptables rule"

Edit to add, I don't think there is a missing feature in the iptables/kernel config. You've had the --conntrack facility in use before, and I didn;t notice any other iptables extension. Allowed "-j" targets are ACCEPT, REJECT, DROP, and any rules you define (e.g., "logdrop"), and I didn't see any errors in those, no "-j ACCETP" (notice the typo!) for example.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sat Jun 11, 2016 8:47 am    Post subject: Reply with quote

This is the generating the error:

iptables -A logdrop -j LOG --log-prefix DROP:

If I comment it out, the error goes away.

Maybe the problem is default useflags?

Code:
X3 ~ # emerge -pv iptables

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] net-firewall/iptables-1.4.21-r1::gentoo  USE="ipv6 -conntrack -netlink -static-libs" 0 KiB

Total: 1 package (1 reinstall), Size of downloads: 0 KiB


EDIT: BTW, Samsung Smart TV plays DLNA fine but it takes about ten minutes for the X3:DLNA option to appear on the TV. I surmise that it is doing a lot of other things, retrying, and finally giving up and using plain DLNA. The logs would help a lot.
Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046

PostPosted: Sat Jun 11, 2016 9:00 am    Post subject: Reply with quote

That's interesting. I have approximately that line in my iptables builder, but instead of having the prefix set directly, it is set using a variable. I set numerous logging variables, then create numerous rules that log then handle packets. The below lines are selected from that bunch, cut and paste ...

Code:
LOG_DROP=${LOG_DROP:=DROP:}

iptables -N logdrop
iptables -A logdrop -j LOG --log-prefix "$LOG_DROP "
iptables -A logdrop -j DROP


Oh, I see the error now, missing quotation makes in the direct setting of the phrase "DROP:"
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sat Jun 11, 2016 9:12 am    Post subject: Reply with quote

Code:
X3 ~ # sh firewallscript
iptables: No chain/target/match by that name.
X3 ~ #

firewallscript: [url] http://dpaste.com/3BRT8EG[/url] Ooops, no link. wgetpaste seems to have stopped working

relevant excerpt:
Code:
#including the wireless computers
iptables -A INPUT -s 192.168.0.103 -j ACCEPT
iptables -A INPUT -s 192.168.0.109 -j ACCEPT

LOG_DROP=${LOG_DROP:=DROP:}

iptables -N logdrop
iptables -A logdrop -j LOG --log-prefix "$LOG_DROP "
iptables -A logdrop -j DROP
# This is the last rule in the chain, it logs and drops everything that got thr$
iptables -A INPUT -m conntrack --ctstate NEW -j logdrop


Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046

PostPosted: Sat Jun 11, 2016 9:34 am    Post subject: Reply with quote

The URL works if [url] is stripped from the end.

I think your kernel is missing logging support in nf_tables, CONFIG_NFT_LOG or in Xtables targets, CONFIG_NETFILTER_XT_TARGET_LOG

From the kernel source `make menuconfig`, follow these links ...

Networking support
Networking options
Network packet filtering framework (Netfilter)
Core Netfilter Configuration
* Netfilter nf_tables log module
* LOG target support

Edit to add, after looking at your kernel config, I think you need to set "Netfilter nf_tables support" (CONFIG_NF_TABLES) in order to set CONFIG_NFT_LOG. Otherwise the "Netfilter nf_tables log module" option won't be visible. If you compile those items as modules, kernel recompile should be fairly quick, only the new and changed modules are built.
Back to top
View user's profile Send private message
Tony0945
Watchman
Watchman


Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA

PostPosted: Sat Jun 11, 2016 3:17 pm    Post subject: Reply with quote

The following were unchecked:
Code:
CONFIG_NETFILTER_NETLINK_LOG:                                           │ 
  │                                                                         │ 
  │ If this option is enabled, the kernel will include support              │ 
  │ for logging packets via NFNETLINK.                                      │ 
  │                                                                         │ 
  │ This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,           │ 
  │ and is also scheduled to replace the old syslog-based ipt_LOG           │ 
  │ and ip6t_LOG modules.

CONFIG_NF_TABLES:                                                                                                            │ 
  │                                                                                                                              │ 
  │ nftables is the new packet classification framework that intends to                                                          │ 
  │ replace the existing {ip,ip6,arp,eb}_tables infrastructure. It                                                               │ 
  │ provides a pseudo-state machine with an extensible instruction-set                                                           │ 
  │ (also known as expressions) that the userspace 'nft' utility                                                                 │ 
  │ (http://www.netfilter.org/projects/nftables) uses to build the                                                               │ 
  │ rule-set. It also comes with the generic set infrastructure that                                                             │ 
  │ allows you to construct mappings between matchings and actions                                                               │ 
  │ for performance lookups.                                                                                                     │ 
  │                                                                                                                              │ 
  │ To compile it as a module, choose M here. 


A new kernel was available after syncing, so I made these changes there. Also enabled IPV6 logging. There were a ton of new logging and tracking options in this new kernel 4.6.4, I marked them as modules, the above missing ones as builtin.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum