Re: Firewall froth..
On 15 Apr 2008, Digby Tarvin wrote: [snip] where the list line was to filter out the most frequent messages, but I am not really sure what, if any, rejected connections/packets I should be looking out for, and what should just be ignored... Perhaps I should redirect the firewall logs to a separate file? Or just stick my head in the sand and log nothing - which is presumably the situation with my dsl router.. Here is an example of the last dozen or so messages in the log: DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Is this normal? Anyone know where all this rejected traffic represents? You can prevent this stuff appearing by inserting klogd -c5 to /etc/init.d/klogd. See /www.shorewall.net/FAQ.htm. FAQ 16) Shorewall is writing log messages all over my console making it unusable! Answer: Just to be clear, it is not Shorewall that is writing all over your console. Shorewall issues a single log message during each start, restart, stop, etc. It is rather the klogd daemon that is writing messages to your console. Shorewall itself has no control over where a particular class of messages are written. See the Shorewall logging documentation. * Find where klogd is being started (it will be from one of the files in /etc/init.d -- sysklogd, klogd, ...). Modify that file or the appropriate configuration file so that klogd is started with “-c n ” where n is a log level of 5 or less; and/or * See the “dmesg” man page (“man dmesg”). You must add a suitable “dmesg” command to your startup scripts or place it in /etc/shorewall/start. Anthony -- Anthony Campbell - [EMAIL PROTECTED] Microsoft-free zone - Using Debian GNU/Linux http://www.acampbell.org.uk (blog, book reviews, on-line books and sceptical articles) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall froth..
On Wed, Apr 16, 2008 at 10:00:37AM +0100, Anthony Campbell wrote: You can prevent this stuff appearing by inserting klogd -c5 to /etc/init.d/klogd. See /www.shorewall.net/FAQ.htm. It's better to modify /etc/default/klogd. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall froth..
On 17 Apr 2008, Jon wrote: On Wed, Apr 16, 2008 at 10:00:37AM +0100, Anthony Campbell wrote: You can prevent this stuff appearing by inserting klogd -c5 to /etc/init.d/klogd. See /www.shorewall.net/FAQ.htm. It's better to modify /etc/default/klogd. Looking at that, I see: # Use KLOGD=-k /boot/System.map-$(uname -r) to specify System.map # -c 4 to alter the kernel console log level (deprecated) # use sysctl instead # So I looked at /etc/sysctl.conf and found: # Uncomment the following to stop low-level messages on console kernel.printk = 4 4 1 7 I suppose this will do what is wanted. Mine is uncommented, which is presmuably why I am not getting these unwanted effects. Anthony -- Anthony Campbell - [EMAIL PROTECTED] Microsoft-free zone - Using Debian GNU/Linux http://www.acampbell.org.uk (blog, book reviews, on-line books and sceptical articles) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Firewall froth..
My personal system is connected to the Internet via an ADSL router which doesn't give me any information about what doesn't get through. However I recently helped a friend setup a Debian box to act as firewall/router between his cable modem and local LAN, which has given me access to a lot more detail... The system is a Debian Etch 40r3 netinstall with Shorewall used to configure an iptables firewall/router. The hardware has two ethernet interfaces, eth0 connects to the cable modem, eth1 connects to the local lan.. The problem I am having is that the messages from the firewall really flood /var/log/messages to the point where I am concerned they may cause me to miss other important things. My rules file is setup with: ACCEPT net fw tcp 22 ACCEPT net fw icmp DROPnet fw udp 1026:1029 where the list line was to filter out the most frequent messages, but I am not really sure what, if any, rejected connections/packets I should be looking out for, and what should just be ignored... Perhaps I should redirect the firewall logs to a separate file? Or just stick my head in the sand and log nothing - which is presumably the situation with my dsl router.. Here is an example of the last dozen or so messages in the log: DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38 Is this normal? Anyone know where all this rejected traffic represents? Regards, DigbyT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall froth..
On 15-Apr-08, at 11:42 AM, Digby Tarvin wrote: The problem I am having is that the messages from the firewall really flood /var/log/messages to the point where I am concerned they may cause me to miss other important things. ... Perhaps I should redirect the firewall logs to a separate file? Or just stick my head in the sand and log nothing - which is presumably the situation with my dsl router.. If it's dropped - then the firewall did it's job. Why look at the results unless you have a problem? Worry about what's getting through, not what isn't Brian PGP.sig Description: This is a digitally signed message part
Re: Firewall froth..
On Tue, Apr 15, 2008 at 01:23:59PM -0400, Brian McKee wrote: On 15-Apr-08, at 11:42 AM, Digby Tarvin wrote: The problem I am having is that the messages from the firewall really flood /var/log/messages to the point where I am concerned they may cause me to miss other important things. ... Perhaps I should redirect the firewall logs to a separate file? Or just stick my head in the sand and log nothing - which is presumably the situation with my dsl router.. If it's dropped - then the firewall did it's job. Why look at the results unless you have a problem? Worry about what's getting through, not what isn't Brian Thanks, that's what I was thinking. If anyone can think of a reason not to extend the DROPnet fw udp 1026:1029 so that logging for all blocked packets is supressed i'd be interested in hearing it.. Just out of curousity, does anyone know what any of this bogus traffic to (for example ports 1947 and 1948 are popular at the moment) might be? Is it common to see this much noise? Is it perhaps undocumented traffic generated by windows systems that others have connected directly to the net? Or perhaps malicious traffic targeting vulnerabilities of windows systems that might be unfirewalled on the net? Regards,. DigbyT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Firewall froth..
On Tue, Apr 15, 2008 at 08:06:01PM +, Digby Tarvin wrote: On Tue, Apr 15, 2008 at 01:23:59PM -0400, Brian McKee wrote: On 15-Apr-08, at 11:42 AM, Digby Tarvin wrote: The problem I am having is that the messages from the firewall really flood /var/log/messages to the point where I am concerned they may cause me to miss other important things. ... Perhaps I should redirect the firewall logs to a separate file? Or just stick my head in the sand and log nothing - which is presumably the situation with my dsl router.. If it's dropped - then the firewall did it's job. Why look at the results unless you have a problem? Worry about what's getting through, not what isn't Brian Thanks, that's what I was thinking. If anyone can think of a reason not to extend the DROPnet fw udp 1026:1029 so that logging for all blocked packets is supressed i'd be interested in hearing it.. just be careful with UDP its a connectionless protocol, there for any UDP streams will not be caught in the state RELATED,ESTABLISHED line, for example if you block of UDP 53 (DNS) Just out of curousity, does anyone know what any of this bogus traffic to (for example ports 1947 and 1948 are popular at the moment) might be? Is it common to see this much noise? Is it perhaps undocumented traffic generated by windows systems that others have connected directly to the net? Or perhaps malicious traffic targeting vulnerabilities of windows systems that might be unfirewalled on the net? Regards,. DigbyT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- So I don't know where [Bin Laden] is. You know, I just don't spend that much time on him. - George W. Bush 03/13/2002 Washington, DC White House Press Conference signature.asc Description: Digital signature
Re: Firewall froth..
On Tue, Apr 15, 2008 at 03:42:54PM +, Digby Tarvin wrote: where the list line was to filter out the most frequent messages, but I am not really sure what, if any, rejected connections/packets I should be looking out for, and what should just be ignored... Perhaps I should redirect the firewall logs to a separate file? Or just stick my head in the sand and log nothing - which is presumably the situation with my dsl router.. I don't have any incoming ports since I don't offer services to the net, not even ssh. Therefore, I drop everything coming in and don't log it. I by default have all ports outgoing closed to and log everything that shorewall stops. Then I open the ports I need with selected ACCEPT macros. Then the only things that end up in syslog are ones I need to see. My logaudit script doesn't filter out shorewall lines so I see them. I do have console logging turned off so I don't get interrupted. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
