| View previous topic :: View next topic |
| Author |
Message |
IvanYosifov
l33t
Joined: 15 Oct 2004
Posts: 778
Location: Bulgaria
|
 Posted: Fri Jul 22, 2005 11:27 am Post subject: How do I make FireHOL log less ? |
 |
|
I am using FireHOL and my system log is filled with zillions of messages like:
| Quote: |
Dec 21 20:01:07 gateway kernel: IN-internet:IN=ppp0 OUT= MAC= SRC=200.75.88.187 DST=195.97.5.193 \
LEN=78 TOS=0x00 PREC=0x00 TTL=111 ID=63816 PROTO=UDP SPT=34165 DPT=137 LEN=58
Dec 21 22:25:39 gateway kernel: OUT-unknown:IN= OUT=ppp0 SRC=195.97.5.193 DST=192.168.23.1 \
LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=139 DPT=1255 WINDOW=2128 RES=0x00 ACK SYN URGP=0
Dec 21 20:01:07 gateway kernel: PASS-unknown:IN=ppp0 OUT=eth0 SRC=200.75.88.187 DST=195.97.5.194 \
LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=64840 PROTO=UDP SPT=34132 DPT=137 LEN=58
|
From the FireHOL docs I gathered that these are packets that did not match any rule and got implicitly dropped. However there is no mention in the docs as to how do I disable the logging of those packets. I really don't care about this info, and there are more important things that I want to show up in dmesg, not get flooded out by this log spam. Does anyone know how to disable the logging of such packets ? |
|
| Back to top |
|
 |
LoDown
Apprentice
Joined: 26 Oct 2004
Posts: 189
Location: Louisville, Ky
|
|
| Back to top |
|
|
IvanYosifov
l33t
Joined: 15 Oct 2004
Posts: 778
Location: Bulgaria
|
| Posted: Fri Jul 22, 2005 2:46 pm Post subject: |
|
|
I know of this page. Unfortunately, so far I have not managed to make any use of it.
I have FIREHOL_LOG_LEVEL="0" in /etc/firehol/firehol.conf which acording to this should suppress loging - it does not. I think the log comands/variables are used when rules defined by me want to log something, not with the "implicitly dropped" traffic that is getting logged. |
|
| Back to top |
|
|
LoDown
Apprentice
Joined: 26 Oct 2004
Posts: 189
Location: Louisville, Ky
|
| Posted: Fri Jul 22, 2005 2:58 pm Post subject: |
|
|
| Ok, it looks like iptables (which FireHOL uses to filter packets) will log any packet that reaches the end of the chain without an explicit DROP or ACCEPT. So the solution at this times seems to be add rules to the end of all your chains ( I am assuming they are default drop) to DROP all the packets that traverse that far, that way none should get logged. |
|
| Back to top |
|
|
IvanYosifov
l33t
Joined: 15 Oct 2004
Posts: 778
Location: Bulgaria
|
| Posted: Fri Jul 22, 2005 3:49 pm Post subject: |
|
|
| There is quite a number of chains ( most created by FireHOL ) and manually adding a rule to all of them seems like quite a lot of typing to me. Is there any way to automatically remove all rules with target LOG from iptables ? |
|
| Back to top |
|
|
IvanYosifov
l33t
Joined: 15 Oct 2004
Posts: 778
Location: Bulgaria
|
| Posted: Sun Jul 24, 2005 6:00 pm Post subject: |
|
|
But it turned out I can do this at FireHOL level.
I added "server all drop" to the end of the FireHOL interface deffinition, and this did the trick.
And SYN floods and such will still get logged.
The interface deffinition now looks like:
| Code: |
interface eth0 internet
policy drop
protection strong
server "http https ssh ICMP ftp" accept
client all accept
server all drop
|
Thanks for the idea.  |
|
| Back to top |
|
|
IvanYosifov
l33t
Joined: 15 Oct 2004
Posts: 778
Location: Bulgaria
|
| Posted: Thu Sep 22, 2005 3:54 pm Post subject: |
|
|
I managed to sole this completely for me, and thought I'd post it.
First, the above solution of putting "server all drop" at the end of the FireHOL interface definition did not really solve it, FireHOL kept logging things that I did not really want to see, like bad _outgoing_ packets.
The ultimate solution is to emerge ulogd ( a special logging daemon for the netfilter subsystem of the kernel ), add it to the boot runlevel and put
| Code: |
FIREHOL_LOG_MODE=ULOG
|
in FireHOL.conf  Now ALL the firwall generated messages go to /var/log/ulogd.syslogemu and NOT to /var/log/messages or the dmesg. Problem solved... this time ( I hope ) for real. |
|
| Back to top |
|
|
bonbons
Apprentice
Joined: 04 Sep 2004
Posts: 250
|
| Posted: Thu Sep 22, 2005 5:13 pm Post subject: |
|
|
Other way to fix this issue is to generate the IP-tables script with firehol, then save it (so it can be restored by /etc/init.d/iptables) and edit the iptables-rule-dump.
Just delete all the --log lines at end of each table.
This only works if you have no services that change port on each boot. |
|
| Back to top |
|
|
DNAspark99
Guru
Joined: 03 Sep 2004
Posts: 321
|
| Posted: Thu Sep 22, 2005 5:28 pm Post subject: |
|
|
I too, didn't want these in the main logfile, and found the easiest way to filter them out of /var/log/messages was to put them into their own file, since on occasion it can be helpful to diagnose various problems by seeing what is hitting the firewall:
/etc/syslog-ng/syslog-ng.conf :
| Code: | destination firewall { file ("/var/log/firewall.log"); };
filter f_firewall {
match ("IN-") or
match ("OUT-") or
match ("PASS-") or
match ("NEW TCP w/o SYN:") or
match ("SYN FLOOD:");
};
log { source(src); filter(f_firewall); destination (firewall); };
filter f_messages {
not filter(f_firewall);
};
|
There's probably other conditions that won't catch these filters, but in basic operation, I havn't seen anything get by yet, so if it does, I want to see it in /var/log/messages first, then I'd add a 'match' rule to fit...
since size may be an issue after a while, I added the following to /etc/logrotate.d/syslog-ng:
| Code: |
/var/log/firewall.log {
olddir /var/log/archive
size=512M
rotate 2
}
|
(/var/log/archive is a dir I've created for all my 'rotated' and compressed logs) |
|
| Back to top |
|
|
|
Networking & Security
