Andrew Suffield schrieb: > On Mon, Dec 03, 2007 at 09:13:48AM +0100, G?tz Reinicke wrote: >> I found out, that a students Mac Book flooded the lan with broadcasts >> and tried to reach one outside server on the internet with port 5354. >> >> His broadcast etc. had been dropped or rejected by the shorewalls >> policies and had been loged - so the logfile grews very fast. > > Why are you even bothering to log this information?
Because I'd like to know what's going on. How would I monitor hacking or attack attemps without logging? (May be there is an other way I haven't found yet.) >> What could/would be a good solution or tool or your suggestions to >> handle such broadcast storms or situations? > > You apparently do not have a problem with network traffic, merely with > logging, so the only problem you need to solve here is logging. You > have two specific problems to tackle here: > >> Our perimeter firewall stopped working and I found, that my >> /var/log-partition was 100% in use. > > That's the first one. Why does your firewall stop working when the > filesystem containing /var/log fills up? There is no reason why > netfilter should stop passing packets, so it can't be directly caused > by shorewall - I'm betting that some other application is at fault > here. If the application cannot be fixed, and you want to keep the > logs, they should not be placed on the same filesystem as the one > which breaks the system when it fills up. Thats true; the problem for me is, that I have no clue, which app stopps if the filesystem is full so that shorewall will stop after that. May be syslog fails and so dose shorewall while trying to log? > The second problem is that your logging system fills space without > bounds. It would be straightforward to rotate the logs based on size > so that this cannot happen. Thats a good idea! How to do this with syslogd? Thanks and best regards Götz -- Götz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail [EMAIL PROTECTED] Filmakademie Baden-Württemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
