logs for routing and remote access

[Corona]

I'm converting my linux server to win 2k3 for the better wireless support, but am having some difficulty setting up the built in firewalling/packet filtering. I'm setting up my IP Routing rules, specifically the inbound and outbound filters, both from gui and netsh. That's going alright, but my main problem just now is trying to find a log of packets that are being denied, ie what is hitting the firewall. When trying to run network based programs, and finding them not working, it's hard to know whether the problem is with the program, the network, of just the firewall. Under linux I'd just have a qiuck look at the system log to see if there had been any packets blocked, if so copy down the protocol and port and then open up them up in my firewall script. I'm trying to find something similar for windows.

Thanks,

Corona

[/\/\o\/\/]

is not standard enabled

To enable security logging options

Open Network Connections

Click the connection on which Internet Connection Firewall (ICF) is enabled, and then, under Network Tasks, click Change settings of this connection.

On the Advanced tab, click Settings.

On the Security Logging tab, under Logging Options, select one or both of the following options:

To enable logging of unsuccessful inbound connection attempts, select the Log dropped packets check box.

To enable logging of successful outbound connections, select the Log successful connections check box.

gr /\/\o\/\/

[Corona]

I actually didn't have ICF enabled, I'm just using the 'basic firewall' that seems to be part of routing and remote access, in the IP Routing section. These appear to be two seperate firewall's, are they? Because while the basic firewall and packet filtering that I have going are working, ICF wasn't enabled on the interface.

Corona

[Corona]

ah, I've just tried enabling ICF and turn on logging as suggested, and it tells me that ICS and ICF cannot be enabled becuase routing and remote access is enabled. The two obviously are seperate things, and don't co-operate.

Corona

[/\/\o\/\/]

didn't see you where useing RRAs,

if you have RRAS you have to use NAT/Basic Firewall Properties

in the Routing and Remote Access snap-in

you can set the eventlogging level there,

choose "Log the maximum amount of information"

the events you will find in the eventlog.

gr /\/\o\/\/

[Corona]

ok, yeah I'd already enabled that setting, but I still haven't recognised anything in event viewer that looks like firewall hits. I'm assuming they're supposed to be under the system log in there? Do you know how I could find firewall hits, I can't find any events in there with a source that sounds like something firewall related, just general browsing through the logs hasn't helped me any.

Do you know anywhere I could get documentation for this stuff? I've been combing the windows help and trying to find something on the web, but can't find anything. I would have expected notification to be one of the key features of any firewall?

Thanks for your help so far,

Corona

[Marsden]

Win2K3 will not have true Firewall until SP1 ships incorporating Firewall features from XP SP2. If you want true Firewall abilities where packets are being dropped on the floor then get ISA 2000 or wait about a month for the new ISA 2004.

[/\/\o\/\/]

You can log more, but you need to anable Windows Accounting too.

I copied the steps below, and added a link to the M$ site

gr /\/\o\/\/

-------------------------------------------------

Local authentication and accounting logging

-------------------------------------------------

A server running Routing and Remote Access supports the logging of authentication and accounting information for remote access connections in local logging files when Windows Authentication or Windows Accounting is enabled. This logging is separate from the events recorded in the system event log. You can use the information that is logged to track remote access usage and authentication attempts. Authentication and accounting logging is especially useful for troubleshooting remote access policy issues. For each authentication attempt, the name of the remote access policy that either accepted or rejected the connection attempt is recorded.

The authentication and accounting information is stored in a configurable log file or files stored in the systemroot\System32\LogFiles folder. The log files are saved in Internet Authentication Service (IAS) or database-compatible format, meaning that any database program can read the log file directly for analysis.

To configure authentication and accounting logging, you must first enable either Windows Authentication or Windows Accounting. For more information, see To use Windows Accounting. Then, you can configure the type of activity to log (accounting or authentication activity) and log file settings such as log file format. For more information, see To configure logging.

this is how you enable this

------------------------

To configure logging

------------------------

Do one of the following:

Open Routing and Remote Access.

Double-click Routing and Remote Access, and then double-click the server name on which you want to configure logging.

Open Internet Authentication Service.

Double-click Internet Authentication Service.

In the console tree, click Remote Access Logging.

In the details pane, right-click any log file, and then click Properties.

----------------------------------------------

and how to enable Windows Accounting

----------------------------------------------

To use Windows Accounting

Open Routing and Remote Access.

Right-click the server name for which you want to configure Windows Accounting, and then click Properties.

On the Security tab, in Accounting provider, click Windows Accounting, and then click OK.

-------------------------

and a link ...............

-------------------------

http://www.microsoft.com/resources/documen...RRAStopnode.asp