IPFW entries in /var/log/messages
Hi, Can anybody shed some light into my ipfw and /var/log/messages problem? Since a few weeks/months we have the following entries in the /var/log/messages logfile. A few information about the system itself: It' a i386 6.2-RELEASE-p4 installation with a custom smp kernel (SCHED_4BSD) and a local ipfw Running a caching only BIND 9.4.1-P1 [/var/log/messages] Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0 Sep 18 10:31:35 ns2 kernel: Sep 18 10:58:05 ns2 kernel: 80 Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18 10:58:14 ns2 kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 80.242.204.85:65510 out via bge0 Sep 18 11:35:43 ns2 kernel: 2 Sep 18 11:40:01 ns2 kernel: 6 Sep 18 11:42:23 ns2 kernel: t Sep 18 11:48:33 ns2 kernel: <<110>ipfw: 7600 Accept UDP 80.242.193.212:60217 80.242.192.81:53 in via bge0 Sep 18 11:48:33 ns2 kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 80.242.193.210:53799 out via bge0 Sep 18 12:21:24 ns2 kernel: 8 Sep 18 12:25:14 ns2 kernel: Sep 18 12:39:06 ns2 kernel: 9110>ipfw: 7700 Accept UDP 80.242.192.81:53 80.242.193.210:53715 out via bge0 Sep 18 12:50:29 ns2 kernel: 80 Sep 18 12:51:24 ns2 kernel: o Sep 18 12:52:01 ns2 kernel: 2 Sep 18 13:04:35 ns2 kernel: Sep 18 13:07:05 ns2 kernel: 1 Sep 18 13:07:27 ns2 kernel: 53 80.242.206.125:1034 out via bge0 Sep 18 13:20:08 ns2 kernel: ipfw: 7700 Ac1ept UDP 82.242.192.84:53 80.242.20g.19:1200 out:via bge0 Sep 18 13:31:08 ns2 kernel: Sep 18 13:35:34 ns2 kernel: ge Sep 18 13:38:39 ns2 kernel: Sep 18 13:42:11 ns2 kernel: <<110>ipfw: 7600 Accept UDP 80.242.195.9:1024 80.242.192.81:53 in via bge0 Sep 18 13:42:11 ns2 kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 80.242.204.79:1163 out via bge0 tia Philippe Mächler ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPFW entries in /var/log/messages
Hi Nikos Thanks for your reply. > On Tuesday 18 September 2007 16:05, Mächler Philippe wrote: > > Since a few weeks/months we have the following entries in the > > /var/log/messages logfile. > [] > > [/var/log/messages] > > Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0 > > Sep 18 10:31:35 ns2 kernel: > > Sep 18 10:58:05 ns2 kernel: 80 > > Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP > > 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18 > 10:58:14 ns2 > > kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 > 80.242.204.85:65510 > > out via bge0 > > I can think of two things. > > 1) Is anybody playing with logger(1)? > e.g. > logger -t kernel "Let's play with the administrator..." > tail /var/log/messages I fear ist neither of the two things you mentioned [1] /var/log/auth.log does not show an external nor an abnormal login. And I belive that my workmates wont fool me with stuff like this :) > 2) Are these entries new? Are you sure that they refer > to 2007-09? It can happen. Seeing a message from a year back. > Especially on a low maintenance box. [2] These are actual entries. In the meantime i got a few new ones... Sep 18 16:08:18 ns2 kernel: <11<110>ipfw: 7600 Accept UDP 80.242.205.104:50114 80.242.192.81:53 in via bge0 Sep 18 16:08:18 ns2 kernel: 0>ipfw: 7700 Accept UDP 80.242.192.81:53 80.242.205.104:50111 out via bge0 Sep 18 16:09:42 ns2 kernel: b Sep 18 16:13:42 ns2 kernel: Sep 18 16:23:14 ns2 kernel: Sep 18 16:23:24 ns2 kernel: 8 Sep 18 16:30:49 ns2 kernel: > Nikos Philippe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPFW entries in /var/log/messages
Hello Mel > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mel > Sent: Tuesday, September 18, 2007 5:00 PM > To: freebsd-questions@freebsd.org > Subject: Re: IPFW entries in /var/log/messages > > > On Tuesday 18 September 2007 16:38:13 Mächler Philippe wrote: > > Hi Nikos > > > > Thanks for your reply. > > > > > On Tuesday 18 September 2007 16:05, Mächler Philippe wrote: > > > > Since a few weeks/months we have the following entries in the > > > > > > > > /var/log/messages logfile. > > > > > > [] > > > > > > > [/var/log/messages] > > > > Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0 > > > > Sep 18 10:31:35 ns2 kernel: > > > > Sep 18 10:58:05 ns2 kernel: 80 > > > > Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP > > > > 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18 > > > > > > 10:58:14 ns2 > > > > > > > kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 > > > > > > 80.242.204.85:65510 > > > > > > > out via bge0 > > > > > > I can think of two things. > > > > > > 1) Is anybody playing with logger(1)? > > > e.g. > > > logger -t kernel "Let's play with the administrator..." tail > > > /var/log/messages > > > > I fear ist neither of the two things you mentioned > > > > [1] /var/log/auth.log does not show an external nor an > abnormal login. > > And I belive that my workmates wont fool me with stuff like this :) > > > > > 2) Are these entries new? Are you sure that they refer > > > to 2007-09? It can happen. Seeing a message from a year back. > > > Especially on a low maintenance box. > > > > [2] These are actual entries. In the meantime i got a few > new ones... > > Sep 18 16:08:18 ns2 kernel: <11<110>ipfw: 7600 Accept UDP > > 80.242.205.104:50114 80.242.192.81:53 in via bge0 > > Sep 18 16:08:18 ns2 kernel: 0>ipfw: 7700 Accept UDP > > 80.242.192.81:53 80.242.205.104:50111 out via bge0 > > Sep 18 16:09:42 ns2 kernel: b > > Sep 18 16:13:42 ns2 kernel: > > Sep 18 16:23:14 ns2 kernel: > > Sep 18 16:23:24 ns2 kernel: 8 > > > > Sep 18 16:30:49 ns2 kernel: > > These looks like classic buffer corruptions, either that or > you're logging > part of the raw packet and bytes interpreted as non-printing > chars like > return and backspace mangle the output. Can you narrow it > down to the one > offending rule? Or is any logging by ipfw this mangled? > i think i can narrow it down to the following rules but I'm not sure because it's hard to "decode" the logfile :) 07600 55768608 3753625157 allow log udp from any to 80.242.192.81 dst-port 53 in recv bge0 07700 55329253 10858026114 allow log udp from 80.242.192.81 53 to any out xmit bge0 08100 5664976 357403678 allow log icmp from any to 80.242.192.81 icmptypes 0,3,8,11 in recv bge0 keep-state Hmm i should change the "allow log" line into "allow" only. No idea why i log every packet. Philippe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ARP Messages
Hello, I have some strange messages on a FreeBSD 5.4 Server The system has a private ip on bge1 and a public one one bge0 Every 2-3 seconds i get an entry like these... > arp: 80.242.192.81 is on bge0 but got reply from 00:19:bb:25:7b:63 on bge1 > arp: 80.242.192.81 is on bge0 but got reply from 00:19:bb:25:7b:63 on bge1 > arp: 80.242.192.81 is on bge0 but got reply from 00:19:bb:25:7b:63 on bge1 > arp: 80.242.192.80 is on lo0 but got reply from 00:0e:7f:fe:10:3f on bge1 > arp: 192.168.3.222 is on lo0 but got reply from 00:0e:7f:fe:40:c2 on bge0 The funny thing is, that the ip 80.242.192.80 is on mac 00:0e:7f:fe:10:3f but bge0 and not bge1 Also the ip adress 192.168.3.222 has 00:0e:7f:fe:40:c2 but on bge1 instead of bge0 See ifconfig output below... %ifconfig bge0: flags=8943 mtu 1500 options=1a inet 80.242.192.80 netmask 0xffc0 broadcast 80.242.192.127 ether 00:0e:7f:fe:10:3f media: Ethernet autoselect (100baseTX ) status: active bge1: flags=8843 mtu 1500 options=1a inet 192.168.3.222 netmask 0xff00 broadcast 192.168.3.255 ether 00:0e:7f:fe:40:c2 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff00 %netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default80.242.192.65 UGS 0 6885962 bge0 80.242.192.64/26 link#1 UC 00 bge0 80.242.192.65 00:00:0c:07:ac:01 UHLW10 bge0481 80.242.192.80 00:0e:7f:fe:10:3f UHLW0 229 lo0 80.242.192.81 00:19:bb:25:7b:63 UHLW0 179281 bge0 1027 127.0.0.1 127.0.0.1 UH 0 277552 lo0 192.168.2 192.168.3.254 UGS 0 8209 bge1 192.168.3 link#2 UC 00 bge1 192.168.3.222 00:0e:7f:fe:40:c2 UHLW0 7283 lo0 192.168.3.254 00:a0:8e:77:9a:b9 UHLW10 bge1521 % Has anybody an idea why i get these messages? Or how i can find out where they come from? Philippe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ARP Messages
> > 00:19:bb:25:7b:63 on bge1 > >> arp: 80.242.192.81 is on bge0 but got reply from > > 00:19:bb:25:7b:63 on bge1 > >> arp: 80.242.192.81 is on bge0 but got reply from > > 00:19:bb:25:7b:63 on bge1 > >> arp: 80.242.192.80 is on lo0 but got reply from > > 00:0e:7f:fe:10:3f on bge1 > >> arp: 192.168.3.222 is on lo0 but got reply from > > 00:0e:7f:fe:40:c2 on bge0 > > > > The funny thing is, that the ip 80.242.192.80 is on mac > > 00:0e:7f:fe:10:3f but bge0 and not bge1 Also the ip adress > > 192.168.3.222 has 00:0e:7f:fe:40:c2 but on bge1 instead of bge0 > > > > See ifconfig output below... > > > sorry if it's stupid question but aren't your network cables swapped? > That was my first idea too :) But they are corectly connected. If so there would be a lot of deny messages in the firewall log and a few services wouldn't run. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: ARP Messages
> > Hello, M?chler Philippe! > > On Tue, Feb 26, 2008 at 01:14:11PM +0100 > [EMAIL PROTECTED] wrote about "ARP Messages": > > Hello, > > > > I have some strange messages on a FreeBSD 5.4 Server > > The system has a private ip on bge1 and a public one one bge0 > > > > Every 2-3 seconds i get an entry like these... > > > arp: 80.242.192.81 is on bge0 but got reply from > > 00:19:bb:25:7b:63 on bge1 > > http://lists.freebsd.org/pipermail/freebsd-hackers/2006-March/015 791.html If the two computers are on the same physical switch this makes sense. But in my case these two networks are two different, physical networks... (I'll try to draw it :) - --- ¦ server¦ ¦router/firewall¦ ¦192.168.3.222¦---[switch (3.x/24)]---¦ 192.168.3.254 ¦---[switch (2.x/24)] ¦80.242.192.80¦--- - ¦ ¦ [switch][Gateway 80.242.192.65]---[INTERNET] hth Philippe ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"