[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: annoying iptables messages

Jeff Elkins wrote:
> I'm trying to rid myself of annoying iptables messages that are clogging up 
> the console and dmesg.

The Linux kernel default console logging is 8 so that all messages are
logged to the console.  At least one other distro sets this to 3 in
/etc/syscontrol/init and so users there never see console messages.

A firewall on the Internet today is always flooded with probes.
People are always pulling on the door and trying to lift the windows.
The logging to the console causes messages to be printed on the
console so often that it is virtually useless.  This is arguably a
system policy decision.

Debian does not make this policy anywhere else that I can find and the
system uses the Linux kernel default.  Using the kernel default is
arguably a safe choice for the system but possibly unpleasant for the
user of the kernel.  This is not normally an issue but when running an
active firewall it does tend to flood the console with information.

I am using shorewall, a very nice firewall packge.  I highly recommend it.
Therefore I always set the following in the '/etc/shorewall/init'
shorewall init file to set the console logging level to something a
little more quiet.  This avoids logging packet messages to the
console.  They are still logged normally to syslog.  I prefer
KERN_NOTICE level 5.  Setting it to 3 would pretty much turn off
console messages.

  dmesg -n5

You can find the kernel logging levels in the linux/kernel.h file.

  #define KERN_EMERG   "<0>" /* system is unusable                    */
  #define KERN_ALERT   "<1>" /* action must be taken immediately      */
  #define KERN_CRIT    "<2>" /* critical conditions                   */
  #define KERN_ERR     "<3>" /* error conditions                      */
  #define KERN_WARNING "<4>" /* warning conditions                    */
  #define KERN_NOTICE  "<5>" /* normal but significant condition      */
  #define KERN_INFO    "<6>" /* informational                         */
  #define KERN_DEBUG   "<7>" /* debug-level messages                  */


Attachment: signature.asc
Description: Digital signature

Reply to: