iptables Policy Configuration
The main requirement for a Netfilter policy to be compatible with psad is simply that Netfilter logs packets. This is commonly accomplished by adding rules to the INPUT and FORWARD chains like so:# iptables -A INPUT -j LOG # iptables -A FORWARD -j LOGThe rules above should be added at the end of the INPUT and FORWARD chains after all ACCEPT rules for legitimate traffic and just before a corresponding DROP rule for traffic that is not to be allowed through the policy. Note that Netfilter policies can be quite complex with protocol, network, port, and interface restrictions, user defined chains, connection tracking rules, and much more. There are many pieces of software such as Shorewall and Firewall Builder, that build Netfilter policies and take advantage of the advanced filtering and logging capabilities offered by Netfilter. Generally the policies built by such pieces of software are compatible with psad since they specifically add rules that instruct Netfilter to log packets that are not part of legitimate traffic. Psad can be configured to only analyze those Netfilter messages that contain specific log prefixes (which are added via the --log-prefix option), but the default as of version 1.3.2 is for psad to analyze all Netfilter log messages for port scans, probes for backdoor programs, and other suspect traffic. See the list of features offered by psad for more information.
In addition, it should be noted that in order for psad to acquire Netfilter log data via the above strategy, syslog needs to be configured to write all kern.info messages to a named pipe that is setup by psad. More information on this can be found within the syslog configuration guide.
