My personal system is connected to the Internet via an ADSL router which doesn't give me any information about what doesn't get through.
However I recently helped a friend setup a Debian box to act as firewall/router between his cable modem and local LAN, which has given me access to a lot more detail... The system is a Debian Etch 40r3 netinstall with Shorewall used to configure an iptables firewall/router. The hardware has two ethernet interfaces, eth0 connects to the cable modem, eth1 connects to the local lan.. The problem I am having is that the messages from the firewall really flood /var/log/messages to the point where I am concerned they may cause me to miss other important things. My rules file is setup with: ACCEPT net fw tcp 22 ACCEPT net fw icmp DROP net fw udp 1026:1029 where the list line was to filter out the most frequent messages, but I am not really sure what, if any, rejected connections/packets I should be looking out for, and what should just be ignored... Perhaps I should redirect the firewall logs to a separate file? Or just stick my head in the sand and log nothing - which is presumably the situation with my dsl router.. Here is an example of the last dozen or so messages in the log: DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Is this normal? Anyone know where all this rejected traffic represents? Regards, DigbyT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
