- Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Sponsored Links

Latest News
  General News
  Press Releases
  Off Topic

Back to files

FWReport Reporting Tool for IPTables
By Chris Travers

I Installation
II How to Run the Program
III Known Issues

Before You Begin:

FWReport is not a substitute for reading log files. Although this utility can be useful in finding indications of attacks, some information is not contained in these reports which could lead to false positives, and I have erred on the side of false positives rather than false negatives.

One should note that a positive record always indicates that SOMETHING is going wrong, but often you will still have to look at the logs in order to ensure that the problem is one of outside malice rather than misconfiguration. For example, if the firewall is making DNS queries to a DNS server but blocking and logging replies, these subsequent DNS requests will occur at random ports above 1024, and the result could look like a port scan in the report.

I Installation

This tool is a self-contained PERL script. All that is necessary, assuming you have Perl running, is to take the PERL script and copy it somewhere in your $PATH. I usually place it in /usr/sbin.

This tool will only work on Linux with Netfilter, and parses the /var/log/messages file for IPTables entries and generates a report based on the logs. It can only make report on logged packets, so you will need the packets to be logged via the LOG target. If you are unsure how to set this up, please see the Netfilter documentation at and

If you need assistance with the installation of Perl, see for more documentation and assistance.

II Running the Program

FWReport is designed to run to daily or monthly reports. Please check the man page for complete syntax and instruction. A few examples include:

Generate a report for instances occuring on March 15 in the file /var/log/firewall without reverse dns lookups: fwreport -rd Mar 15 -f /var/log/firewall

Generate a report with daily subsections, processing the entire /var/log/messages:
fwreport -w

Generate a report for yesterday from /var/log/messages: fwreport -dt 1
fwreport -d `date --date="yesterday" "+%b %d"`

Note that the second may not launch from Cron depending on your shell settings in the /etc/passwd.

FWReport was written with the idea of being run via cron. The sample scripts are available for you to modify and call from the crontab.

Sponsored Links

Discussion Groups
  Networking / Security

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 All rights reserved.