I’ve seen a lot of queries on the internet about logging firewall traffic on a Synology server, because, somewhat surprisingly, it’s not something that Synology have implemented in their Log Center (sic) or feel is important enough, despite providing the functionality to easily create firewall rules in the Control Panel.
Underneath it all, Synology uses IPTables to implement firewall rules. It’s not easy or straightforward to manage these on the command line, which is why, thankfully, Synology have provided a nice GUI to allow you to add and change rules on the fly. Confusingly, they don’t provide a method to audit or troubleshoot why a rule might not be working.
Getting Firewall Logs into Synology Log Center
There is a solution to this, and one that doesn’t require you to delve into the innards of the server (although you can if you want!). The configuration is designed to withstand reboots (since IPTables revert to their default configuration whenever the server reboots) and to be managed from within Synology DSM. It also doesn’t mess around with any Synology defaults or specific configurations, so in theory, should always work.
Creating a Task to Enable Firewall Logging
First off, log into your Synology DSM and open the Control Panel, and under the Services section, select “Task Scheduler”.
In the Task Scheduler screen, select the Create button and then the “User-defined script” under the “Triggered Task” menu option, since we are going to set something up that will always run on boot-up.
Enter a name for your task, so you know what it’s for and make sure the “User” field is set to “root” and the “Event” field to “Boot-up”.
Click on the Task Settings tab. Then in the “User-defined script” field, enter the following code:
#!/bin/bash
conf='/usr/local/etc/syslog-ng/patterndb.d/Firewall.conf'
echo 'destination d_iptables {' > $conf
echo 'syslog("127.0.0.1" port(514) transport("udp"));' >> $conf
echo '};' >> $conf
echo 'filter f_iptables { match("--Firewall--"); };' >> $conf
echo 'log { source(src); filter(f_iptables); destination(d_iptables); };' >> $conf
iptables -N LOGGING
iptables -I INPUT 1 -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix '--Firewall--' --log-level 6
Click on the OK button. The task is now set up to enable firewall logging whenever your Synology is rebooted.
Bear in mind that the code hasn’t been run yet, so the logging hasn’t been configured. You can reboot your server to set it up, but we’re going to stick with doing everything through Synology DSM.
Highlight your newly created task in the Task Scheduler and click the Run button at the top of the screen. Now your server is configured to send firewall logs to Synology Log Center.
Limiting the Logging to External Traffic
If you want to limit the logging to only monitor external traffic, then you can insert the following line before line 10:
iptables -A LOGGING -s 192.168.1.0/24 -j RETURN
Replace “192.168.1.0/24” in the line with your local network range. The /24 at the end is known as CIDR (Classless Inter-Domain Routing), and means that it will not log any traffic coming in from 192.168.1.0 to 192.168.1.255.
The full script is then:
#!/bin/bash
conf='/usr/local/etc/syslog-ng/patterndb.d/Firewall.conf'
echo 'destination d_iptables {' > $conf
echo 'syslog("127.0.0.1" port(514) transport("udp"));' >> $conf
echo '};' >> $conf
echo 'filter f_iptables { match("--Firewall--"); };' >> $conf
echo 'log { source(src); filter(f_iptables); destination(d_iptables); };' >> $conf
iptables -N LOGGING
iptables -I INPUT 1 -j LOGGING
iptables -A LOGGING -s 192.168.1.0/24 -j RETURN
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix '--Firewall--' --log-level 6
Enabling Logging in Synology Log Center
We’ve set up Synology so that firewall logging is configured and will survive a reboot of your server, but it’s still not logging. Firstly, we haven’t configured Log Center to receive the data, and we haven’t told it to read the newly created configuration file.
Open up Log Center in Synology DSM and click on the Log Receiving tab, then click on the Create button at the top.
Type in a name for your rule so you know what it relates to and make sure you have selected the IETF Log format. By default, the transfer protocol should be “UDP” and the Port should be “514”.
Finally, click on the OK button and make sure your rule is enabled.
Viewing the Firewall Logs
You’re done! Your Synology should now be sending (and receiving) the firewall logs in Log Center. To check that, go to the Logs tab. By default, you will see all of the general logs for the server.
We’ve configured the Synology to send the firewall logs to the server rather than trying to hack around with the Synology server itself, so click in the drop-down where it says “Local”. The name of your Server should now be displayed underneath (in my case, “Gaia”).
You should now be able to see all of your incoming firewall logs, in their raw format in Log Center.
A Word of Explanation
If you’re interested in what the code does, I’ve broken it down line by line here.
#!/bin/bash
Tells Synology to use the Bash shell to run the commands.
conf='/usr/local/etc/syslog-ng/patterndb.d/Firewall.conf'
Sets a variable to define where we are going to create the Firewall logging configuration.
echo 'destination d_iptables {' > $conf
Writes the first line defining where the firewall logs should go to the Firewall logging configuration.
echo 'syslog("127.0.0.1" port(514) transport("udp"));' >> $conf
Writes the second line telling syslog to send all logs to the local server using UDP over port 514.
echo '};' >> $conf
Writes the third line closing the destination details.
echo 'filter f_iptables { match("--Firewall--"); };' >> $conf
Writes a line to look for logs that include –Firewall– in the log itself.
echo 'log { source(src); filter(f_iptables); destination(d_iptables); };' >> $conf
Writes the command that tells syslog where to get the logs from, what to filter for and where to send it.
iptables -N LOGGING
Creates a LOGGING chain in the iptables configuration.
iptables -I INPUT 1 -j LOGGING
Makes sure that any traffic going through the IP Table firewall rules must also go to the LOGGING chain.
iptables -A LOGGING -s 192.168.1.0/24 -j RETURN
If the source IP address is in the local network (192.168.1.0 to 192.168.1.255) return the traffic and don’t process the next rule.
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix '--Firewall--' --log-level 6
Tell iptables to make sure that any firewall log is prefixed with –Firewall– (so we can filter on that), and to suppress duplicate logs so we don’t get a flurry of the same information in the log file. Finally, it sets the level of information to 6, which is “INFO”. If you want to only display “WARNING” logging, then the level is 4, “EMERGENCY” is 0 and the most verbose, “DEBUG”, is 7.
0 Comments