[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall froth..



On 15 Apr 2008, Digby Tarvin wrote:
> 
[snip] 
> where the list line was to filter out the most frequent messages, but
> I am not really sure what, if any, rejected connections/packets I
> should be looking out for, and what should just be ignored...
> 
> Perhaps I should redirect the firewall logs to a separate file? Or
> just stick my head in the sand and log nothing - which is presumably
> the situation with my dsl router..
> 
> Here is an example of the last dozen or so messages in the log:
>  DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38 
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38 
> 
> Is this normal? Anyone know where all this rejected traffic represents?
> 

You can prevent this stuff appearing by inserting "klogd -c5" to
/etc/init.d/klogd. See /www.shorewall.net/FAQ.htm.

"FAQ 16) Shorewall is writing log messages all over my console making it unusable!

Answer:

Just to be clear, it is not Shorewall that is writing all over your
console. Shorewall issues a single log message during each start,
restart, stop, etc. It is rather the klogd daemon that is writing
messages to your console. Shorewall itself has no control over where a
particular class of messages are written. See the Shorewall logging
documentation.

    *

      Find where klogd is being started (it will be from one of the
      files in /etc/init.d -- sysklogd, klogd, ...). Modify that file or
      the appropriate configuration file so that klogd is started with
      “-c <n> ” where <n> is a log level of 5 or less; and/or
    *

      See the “dmesg” man page (“man dmesg”). You must add a suitable
      “dmesg” command to your startup scripts or place it in
      /etc/shorewall/start."

Anthony

-- 
Anthony Campbell - ac@acampbell.org.uk 
Microsoft-free zone - Using Debian GNU/Linux
http://www.acampbell.org.uk (blog, book reviews, 
on-line books and sceptical articles)


Reply to: