Re: annoying iptables messages
On Wednesday 15 June 2005 04:13 pm, Jan C. Nordholz wrote:
> > I'm trying to rid myself of annoying iptables messages that are clogging
> > up the console and dmesg. To my firewall script I've added:
> Well, dmesg just reads the kernel's debugging ringbuffer, where _every_
> printk() the kernel issues is recorded. You can't keep messages from
> appearing there, you can just prevent that they travel any further. :-)
> > echo 0 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
> Hm, didn't even know that toggle - however, it already is 0 here, so I
> guess that's the default...
> > And to sysklogd:
> > KLOGD="-c 4"
> This will keep iptables log messages (which default to log-level warning,
> i.e. 4, but see the --log-level option in the manpage) from appearing on
> the console. However, those messages are still forwarded to the syslog
> facility, unless you've told klogd to behave differently (see the -f
> What sysklogd then does with them is dictated by /etc/syslog.conf(5) -
> incoming messages from klogd are given facility "kernel" (as you might
> have guessed ;-) ), and the priority given by the kernel is just passed
> > The console messages seem to be gone, but dmesg is still clogged with
> > iptables junk.
> You can't change that. I'd suggest you use another source of information:
> by customizing syslog.conf you should be able to extract every possible
> subset of logging messages pretty comfortably.
Thanks for the reply, Jan.
Acually, I guess I posted too early. Hot-keying to my server (via a KVM)
New not syn:IN=eth1 OUT= MAC=00:30:1b:3d:ed:0e:00:02:3b:01:dd:e1:08:00
SRC=184.108.40.206 DST=220.127.116.11 LEN=41 TOS=0x00 PREC=0x00 TTL=240 ID=21627
PROTO=TCP SPT=80 DPT=36366 WINDOW=64687 RES=0x00 ACK PSH URGP=0
IPT INPUT packet died: IN=eth1 OUT=
DST=18.104.22.168 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=10675 PROTO=TCP SPT=80
DPT=36366 WINDOW=9300 RES=0x00 RST URGP=0
Printed to the console. More googling ahead...