Setting up ulogd for nftables

Topic: Setting up ulogd for nftables (Read 1616 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Setting up ulogd for nftables

09 January 2022, 13:27:34

Hello I have just set up nftables following the Arch Wiki's Simple Stateful Firewall and added some logging options from the Nftables wiki.

But I understand that I have to install ulogd2 and set it up as a daemon which would actually write the nftables log into some file I could later read. I installed ulogd with pacman, But I think it is missing some runit files to be run as a service, because I don't see it yet in /etc/runit/sv.

I have searched for ulogd-runit and runit-ulogd, but did not find any such package. So, ho do I do this?

Re: Setting up ulogd for nftables

Reply #1 – 15 January 2022, 10:37:40

gentle bump, anyone knows how to use ulogd2 with runit?

Re: Setting up ulogd for nftables

Reply #2 – 15 January 2022, 16:02:20

Create a directory /etc/runit/sv/ulogd. Inside this directory, create a file name run with the following content:

Code: [Select]

#!/bin/sh
exec 2>&1
exec /usr/bin/ulogd

Then you add execution privilege to the owner with chmod u+x /etc/runit/sv/ulogd/run
Then you link it as explained in the wiki to enable it and you restart your computer

Re: Setting up ulogd for nftables

Reply #3 – 15 January 2022, 16:03:51

Note also that netfilter logs also go, by default, to dmesg so you can read them there

Re: Setting up ulogd for nftables

Reply #4 – 15 January 2022, 20:05:50

Thank you very much, that was rather easy, as far as running ulogd after startup goes. However, it looks like default ulogd configuration does not log anything. The log says it cannot bind to log group 1 and that there is not a single working plugin stack.

I think that the log group 1 is what I could target my nftables log to. So I have this line in my nftables ruleset:

Code: [Select]

tcp dport 22 ct state new log prefix "New SSH connection: " group 1 accept

Re: Setting up ulogd for nftables

Reply #5 – 15 January 2022, 21:32:00

Or maybe I should not try to set up ulogd2, but rather switch to libnetfilter_log which seems to have superseded ulogd2.

Re: Setting up ulogd for nftables

Reply #6 – 16 January 2022, 12:08:50

Hmmm, I tried to recreate the runit service for ulogd today and it seems that it now can properly start up. in /var/log/ulogd.log I read

Code: [Select]

Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `NFLOG'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `BASE'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `IP2STR'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `PRINTPKT'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `LOGEMU'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `IFINDEX'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:979 building new pluginstance stack: 'log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU'

which looks just fine, as far as I understand it. Gone are the errors from yesterday.

Re: Setting up ulogd for nftables

Reply #7 – 16 January 2022, 15:06:52

Thanks to this StackExchange post I realized that the log command in nftables must come before accept. And for ulogd configuration I have been following these instructions. But there is probably still a ton of stuff I am missing about ulogd and nftables, because I can't get these things to run.

Here is my configuration and some logs:
nftables ruleset
ulogd.conf
/var/log/ulogd.log
network interface numbers
size of logfiles

As you see my logfiles are empty. I tried to test it to ping that computer, from outside and inside (ping localhost), but nothing gets ever logged. What's causing it? Can you see an error there?