Re: Firewall froth..
On 15 Apr 2008, Digby Tarvin wrote:
>
[snip]
> where the list line was to filter out the most frequent messages, but
> I am not really sure what, if any, rejected connections/packets I
> should be looking out for, and what should just be ignored...
>
> Perhaps I should redirect the firewall logs to a separate file? Or
> just stick my head in the sand and log nothing - which is presumably
> the situation with my dsl router..
>
> Here is an example of the last dozen or so messages in the log:
> DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38
> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38
>
> Is this normal? Anyone know where all this rejected traffic represents?
>
You can prevent this stuff appearing by inserting "klogd -c5" to
/etc/init.d/klogd. See /www.shorewall.net/FAQ.htm.
"FAQ 16) Shorewall is writing log messages all over my console making it unusable!
Answer:
Just to be clear, it is not Shorewall that is writing all over your
console. Shorewall issues a single log message during each start,
restart, stop, etc. It is rather the klogd daemon that is writing
messages to your console. Shorewall itself has no control over where a
particular class of messages are written. See the Shorewall logging
documentation.
*
Find where klogd is being started (it will be from one of the
files in /etc/init.d -- sysklogd, klogd, ...). Modify that file or
the appropriate configuration file so that klogd is started with
“-c <n> ” where <n> is a log level of 5 or less; and/or
*
See the “dmesg” man page (“man dmesg”). You must add a suitable
“dmesg” command to your startup scripts or place it in
/etc/shorewall/start."
Anthony
--
Anthony Campbell - ac@acampbell.org.uk
Microsoft-free zone - Using Debian GNU/Linux
http://www.acampbell.org.uk (blog, book reviews,
on-line books and sceptical articles)
Reply to: