Hello I have just set up nftables following the Arch Wiki's Simple Stateful Firewall (https://wiki.archlinux.org/title/Nftables#Simple_stateful_firewall) and added some logging options from the Nftables wiki (https://wiki.nftables.org/wiki-nftables/index.php/Logging_traffic).
But I understand that I have to install ulogd2 (https://www.netfilter.org/projects/ulogd/index.html) and set it up as a daemon which would actually write the nftables log into some file I could later read. I installed ulogd with pacman, But I think it is missing some runit files to be run as a service, because I don't see it yet in /etc/runit/sv.
I have searched for ulogd-runit and runit-ulogd, but did not find any such package. So, ho do I do this?
gentle bump, anyone knows how to use ulogd2 with runit?
Create a directory /etc/runit/sv/ulogd. Inside this directory, create a file name run with the following content:
#!/bin/sh
exec 2>&1
exec /usr/bin/ulogd
Then you add execution privilege to the owner with chmod u+x /etc/runit/sv/ulogd/run
Then you link it as explained in the wiki to enable it and you restart your computer
Note also that netfilter logs also go, by default, to dmesg so you can read them there
Thank you very much, that was rather easy, as far as running ulogd after startup goes. However, it looks like default ulogd configuration (https://ix.io/3Mit) does not log anything. The log (http://ix.io/3Mis) says it cannot bind to log group 1 and that there is not a single working plugin stack. ::)
I think that the
log group 1 is what I could target my nftables log to. So I have this line in my nftables ruleset:
tcp dport 22 ct state new log prefix "New SSH connection: " group 1 accept
Or maybe I should not try to set up ulogd2, but rather switch to libnetfilter_log (https://www.netfilter.org/projects/libnetfilter_log/) which seems to have superseded ulogd2.
Hmmm, I tried to recreate the runit service for ulogd today and it seems that it now can properly start up. in /var/log/ulogd.log I read
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `NFLOG'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `BASE'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `IP2STR'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `PRINTPKT'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `LOGEMU'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:407 registering plugin `IFINDEX'
Sun Jan 16 13:40:26 2022 <5> ulogd.c:979 building new pluginstance stack: 'log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU'
which looks just fine, as far as I understand it. Gone are the errors from yesterday.
Thanks to this StackExchange post (https://serverfault.com/questions/1050743/nftables-how-to-log-only-specific-type-of-traffic) I realized that the log command in nftables must come before accept. And for ulogd configuration I have been following these instructions (https://www.mybluelinux.com/how-nftables-log-to-external-file/). But there is probably still a ton of stuff I am missing about ulogd and nftables, because I can't get these things to run.
Here is my configuration and some logs:
nftables ruleset (http://ix.io/3Mrf)
ulogd.conf (http://ix.io/3MrT)
/var/log/ulogd.log (http://ix.io/3MrV)
network interface numbers (http://ix.io/3Mrs)
size of logfiles (http://ix.io/3Mrk)
As you see my logfiles are empty. I tried to test it to ping that computer, from outside and inside (ping localhost), but nothing gets ever logged. What's causing it? Can you see an error there?