For PSAD to work, I need to add the following iptables rules and enable packet logging :
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG
I use UFW on my system. So, how can I add these rules with UFW?
As the poster above says, you will need to enable logging with the command
sudo ufw logging on
But I found that I still needed to add the iptables rules. To do this run each of the commands below (note that you must have sudo in front)
sudo iptables -A INPUT -j LOG
sudo iptables -A FORWARD -j LOG
sudo ip6tables -A INPUT -j LOG
sudo ip6tables -A FORWARD -j LOG
You need to add extra rules to ufw to satisfy psad. Edit following two files:
sudo vi /etc/ufw/before.rules
sudo vi /etc/ufw/before6.rules
To both files listed above, add following lines for psad, at the very end, but before COMMIT
# custom logging directives for psad
-A INPUT -j LOG
-A FORWARD -j LOG
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
Next restart ufw
sudo ufw disable
sudo ufw enable
and then check if it worked with
sudo psad --fw-analyze
[+] Parsing /sbin/iptables INPUT chain rules.
[+] Parsing /sbin/ip6tables INPUT chain rules.
[+] Firewall config looks good.
[+] Completed check of firewall ruleset.
[+] Results in /var/log/psad/fw_check
[+] Exiting.
That's it. Read more tips and tricks on how to configure PSAD with UFW
You just enable logging.
sudo ufw logging on
Like darronz mentioned you still have to add iptable rules. As you are using ufw the easiest way to create persistent rules would be to edit /etc/ufw/before.rules and /etc/ufw/before6.rules and add the following lines
-A INPUT -j LOG
-A FORWARD -j LOG
at the end, but before the COMMIT.
