conntrack messages are filling my screen!

drakebasher · 02-11-2006, 11:19 PM

I'm putting Debian Sarge on all of my systems: I have a server/firewall that doesn't have X installed and that serves a few workstations. My problem is that certain messages about network activity are being sent to the text screen on the server. The messages look something like this:

Code:

IN=ppp0 OUT= MAC= SRC=66.2.31.2 DST=66.2.88.99 LEN=48 TOS=0x00 PREC=0x00 TTL
=121 ID=59887 DF PROTO=TCP SPT=3762 DPT=139 WINDOW=8160 RES=0x00 SYN URGP=0

That's just one message. I get several within a few seconds and then maybe one every 30 seconds, randomly. It looks like logging information that needs either to be redirected or turned off. Help?

jschiwal · 02-12-2006, 12:55 AM

Check your /etc/syslog-ng/syslog-ng.conf or /etc/syslog.conf file. It could also be that you are logged in as root, which should be only done temporarily.

On my computer, there is an /etc/syslog-ng/syslog-ng.conf.in file that I would edit instead.

Look that this part:

Code:

#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console  { file("/dev/tty10"    group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };

On my computer, these messages show up on vt10 and not on a console. You may just need to comment out a couple lines to stop the behavior you are seeing.

Dead Parrot · 02-12-2006, 09:57 AM

You could try this sequence of commands (the first character, "$" or "#", represents the shell prompt):

$ su
# echo "dmesg -n1" > /etc/init.d/local
# chmod +x /etc/init.d/local
# update-rc.d local start 80 2 3 4 5 .
# /etc/init.d/local start
# exit
$

A better alternative would be to redirect the log messages to some file instead. This is easy with the FireHOL firewall and ulogd but I don't know how to do it with other firewalls.

drakebasher · 02-12-2006, 11:56 AM

Thanks for the replies. jschiwal: I am using syslog and I edited /etc/syslog.conf in an effort to fix it so here's what I have currently (I've omitted all the comments and empty lines):

Code:

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
uucp.*                          /var/log/uucp.log
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages
*.emerg                         *
daemon.*;mail.*;\
        news.crit;news.err;news.notice;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/tty4

I changed the last line from /dev/xconsole to /dev/tty4 and that causes some messages to go to tty4, but they are not the same as those on tty1. It looks like all of the things above, except for the last, are being sent to files. Maybe the messages I'm seeing are being directed by some other .conf file? Dead Parrot: I'll have to research your response a bit. Thanks alot for the reference to FireHOL. I hadn't heard of that, but it looks promising. Thanks~

saman007uk · 02-12-2006, 12:19 PM

You can just remove logging from the firewall. Something glike this might help:

Code:

/sbin/iptables-save | grep -v LOG | /sbin/iptables-restore

saman007uk · 02-12-2006, 12:21 PM

Quote:

Originally Posted by Dead Parrot

A better alternative would be to redirect the log messages to some file instead. This is easy with the FireHOL firewall and ulogd but I don't know how to do it with other firewalls.

How would you redirect logs to a file in Firehol? I've been looking for something like this for ages ...

drakebasher · 02-12-2006, 12:49 PM

Quote:

Originally Posted by saman007uk

You can just remove logging from the firewall. Something glike this might help:

Code:

/sbin/iptables-save | grep -v LOG | /sbin/iptables-restore

I've done a variation on your suggestion and all seems okay, so that works until I've done more research. Thanks, all.

Dead Parrot · 02-12-2006, 12:57 PM

Quote:

How would you redirect logs to a file in Firehol?

The nice thing about FireHOL is that it has native support for ulogd. After installing the software (aptitude install firehol ulogd) you can enable log redirecting in FireHOL's config file, /etc/default/firehol. Make it look like this:

START_FIREHOL=YES
FIREHOL_LOG_MODE="ULOG"

I used Firestarter before discovering FireHOL+ulogd and the log messages in console were quite annoying.

So when I found out that enabling ulogd in FireHOL was that easy, it really saved my day.

And the firewall configuration with FireHOL is also not that difficult. There's a command line tool named "firehol-wizard" ("firehol-wizard > /etc/firehol/firehol.conf") that checks your running services and then creates an initial firewall config file for you. If you want to, for example, open port 6881 in order to speed up bittorrent downloads, you can add something like this to /etc/firehol/firehol.conf:

# Allow BitTorrent server ports
server_bittorrent_ports="tcp/6881"
client_bittorrent_ports=any
server bittorrent accept
client all accept

Then you just restart FireHOL ("/etc/init.d/firehol restart" or simply "/sbin/firehol restart") and you're ready to go.