Re: Firewall froth..

To: debian-user@lists.debian.org
Subject: Re: Firewall froth..
From: Anthony Campbell <ac@acampbell.org.uk>
Date: Wed, 16 Apr 2008 10:00:37 +0100
Message-id: <[🔎] 20080416090037.GG3972@acampbell.org.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20080415154254.15081.qmail@tdc.dircon.co.uk>
References: <[🔎] 20080415154254.15081.qmail@tdc.dircon.co.uk>

On 15 Apr 2008, Digby Tarvin wrote:
> 
[snip] 
> where the list line was to filter out the most frequent messages, but
> I am not really sure what, if any, rejected connections/packets I
> should be looking out for, and what should just be ignored...
> 
> Perhaps I should redirect the firewall logs to a separate file? Or
> just stick my head in the sand and log nothing - which is presumably
> the situation with my dsl router..
> 
> Here is an example of the last dozen or so messages in the log:
>  DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38 
> 
> Is this normal? Anyone know where all this rejected traffic represents?
> 

You can prevent this stuff appearing by inserting "klogd -c5" to
/etc/init.d/klogd. See /www.shorewall.net/FAQ.htm.

"FAQ 16) Shorewall is writing log messages all over my console making it unusable!

Answer:

Just to be clear, it is not Shorewall that is writing all over your
console. Shorewall issues a single log message during each start,
restart, stop, etc. It is rather the klogd daemon that is writing
messages to your console. Shorewall itself has no control over where a
particular class of messages are written. See the Shorewall logging
documentation.

    *

      Find where klogd is being started (it will be from one of the
      files in /etc/init.d -- sysklogd, klogd, ...). Modify that file or
      the appropriate configuration file so that klogd is started with
      “-c <n> ” where <n> is a log level of 5 or less; and/or
    *

      See the “dmesg” man page (“man dmesg”). You must add a suitable
      “dmesg” command to your startup scripts or place it in
      /etc/shorewall/start."

Anthony

-- 
Anthony Campbell - ac@acampbell.org.uk 
Microsoft-free zone - Using Debian GNU/Linux
http://www.acampbell.org.uk (blog, book reviews, 
on-line books and sceptical articles)

Reply to:

Follow-Ups:
- Re: Firewall froth..
  - From: Jon <iroquoi@gmail.com>

References:
- Firewall froth..
  - From: "Digby Tarvin" <lists2008@skaro.afraid.org>

Prev by Date: Re: Question about how "aptitude search" is used
Next by Date: Re: JFS / Unsupported file systems
Previous by thread: Re: Firewall froth..
Next by thread: Re: Firewall froth..
Index(es):
- Date
- Thread