Firewall froth..

To: debian-user@lists.debian.org
Subject: Firewall froth..
From: "Digby Tarvin" <lists2008@skaro.afraid.org>
Date: Tue, 15 Apr 2008 15:42:54 +0000 (GMT)
Message-id: <[🔎] 20080415154254.15081.qmail@tdc.dircon.co.uk>

My personal system is connected to the Internet via an ADSL router which
doesn't give me any information about what doesn't get through. 

However I recently helped a friend setup a Debian box to act as firewall/router
between his cable modem and local LAN, which has given me access to a lot
more detail...

The system is a Debian Etch 40r3 netinstall with Shorewall used to configure
an iptables firewall/router. The hardware has two ethernet interfaces, eth0
connects to the cable modem, eth1 connects to the local lan..

The problem I am having is that the messages from the firewall really
flood /var/log/messages to the point where I am concerned they may cause
me to miss other important things.

My rules file is setup with:
ACCEPT  net             fw              tcp     22
ACCEPT  net             fw              icmp
DROP    net             fw              udp     1026:1029

where the list line was to filter out the most frequent messages, but
I am not really sure what, if any, rejected connections/packets I
should be looking out for, and what should just be ignored...

Perhaps I should redirect the firewall logs to a separate file? Or
just stick my head in the sand and log nothing - which is presumably
the situation with my dsl router..

Here is an example of the last dozen or so messages in the log:
 DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0 
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0 
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38 
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38 
Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38 

Is this normal? Anyone know where all this rejected traffic represents?

Regards,
DigbyT

Reply to:

Follow-Ups:
- Re: Firewall froth..
  - From: Brian McKee <map@map-heb.com>
- Re: Firewall froth..
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>
- Re: Firewall froth..
  - From: Anthony Campbell <ac@acampbell.org.uk>

Prev by Date: Re: Question about how "aptitude search" is used
Next by Date: Re: sidux
Previous by thread: Re: Question about how "aptitude search" is used
Next by thread: Re: Firewall froth..
Index(es):
- Date
- Thread