iptables script flooding dmesg

voyciz · 11-20-2009, 02:35 PM

I'm using Arno's iptables script (http://rocky.eld.leidenuniv.nl/jooml...bles&Itemid=86).

Well now the kernel ring buffer is flooded by messages like this:

AIF:UNPRIV connect attempt: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:a3:1e:0a:9c:08:00 SRC=XXX.XXX.X.XXX
DST=255.255.255.255 LEN=1897 TOS=0x00 PREC=0x00 TTL=64 ID=29635 PROTO=UDP SPT=21302 DPT=21302 LEN=1877

I've edited /etc/arno-iptables-firewall/firewall.conf and changed these two variables:

Code:

# (EXPERT SETTING!) The location of the dedicated firewall log file. When
# enabled the firewall script will also log start/stop etc. info to this file
# as well. Note that in order to make this work, you should also configure
# syslogd to log firewall messages to this file (see LOGLEVEL below for further
# info).
# -----------------------------------------------------------------------------
FIREWALL_LOG="/var/log/firewall.log"

# (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)
# "debug": can be used to log to /var/log/firewall.log, but you have to configure
# syslogd accordingly (see included syslogd.conf examples).
# -----------------------------------------------------------------------------
LOGLEVEL="debug"

and here's how /etc/syslog.conf looks:

Code:

# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.info;*.!warn;\
        authpriv.none;cron.none;mail.none;news.none     -/var/log/messages

# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.warn;\
        authpriv.none;cron.none;mail.none;news.none     -/var/log/syslog

# Debugging information is logged here.
kern.=debug                                             -/var/log/firewall.log
*.=debug                                                -/var/log/debug

# Private authentication message logging:
authpriv.*                                              -/var/log/secure

# Cron related logs:
cron.*                                                  -/var/log/cron

# Mail related logs:
mail.*                                                  -/var/log/maillog

# Emergency level messages go to all users:
*.emerg                                                 *

# This log is for news and uucp errors:
uucp,news.crit                                          -/var/log/spooler

I thought these two things would fix the problem but apparently not. Could someone please help me out? These messages are getting annoying. I'm guessing that the ".*=debug" statement in syslog.conf is interfering with my statement for firewall.log? What would be the ideal way of adjusting this?

centosboy · 11-21-2009, 07:49 AM

Quote:

Originally Posted by voyciz

I'm using Arno's iptables script (http://rocky.eld.leidenuniv.nl/jooml...bles&Itemid=86).

Well now the kernel ring buffer is flooded by messages like this:

AIF:UNPRIV connect attempt: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:23:a3:1e:0a:9c:08:00 SRC=XXX.XXX.X.XXX
DST=255.255.255.255 LEN=1897 TOS=0x00 PREC=0x00 TTL=64 ID=29635 PROTO=UDP SPT=21302 DPT=21302 LEN=1877

I've edited /etc/arno-iptables-firewall/firewall.conf and changed these two variables:

Code:

# (EXPERT SETTING!) The location of the dedicated firewall log file. When
# enabled the firewall script will also log start/stop etc. info to this file
# as well. Note that in order to make this work, you should also configure
# syslogd to log firewall messages to this file (see LOGLEVEL below for further
# info).
# -----------------------------------------------------------------------------
FIREWALL_LOG="/var/log/firewall.log"

# (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)
# "debug": can be used to log to /var/log/firewall.log, but you have to configure
# syslogd accordingly (see included syslogd.conf examples).
# -----------------------------------------------------------------------------
LOGLEVEL="debug"

and here's how /etc/syslog.conf looks:

Code:

# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.info;*.!warn;\
        authpriv.none;cron.none;mail.none;news.none     -/var/log/messages

# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.warn;\
        authpriv.none;cron.none;mail.none;news.none     -/var/log/syslog

# Debugging information is logged here.
kern.=debug                                             -/var/log/firewall.log
*.=debug                                                -/var/log/debug

# Private authentication message logging:
authpriv.*                                              -/var/log/secure

# Cron related logs:
cron.*                                                  -/var/log/cron

# Mail related logs:
mail.*                                                  -/var/log/maillog

# Emergency level messages go to all users:
*.emerg                                                 *

# This log is for news and uucp errors:
uucp,news.crit                                          -/var/log/spooler

I thought these two things would fix the problem but apparently not. Could someone please help me out? These messages are getting annoying. I'm guessing that the ".*=debug" statement in syslog.conf is interfering with my statement for firewall.log? What would be the ideal way of adjusting this?

you would have to specify exactly what you want the debug.log to catch.

ie, not exactly, but something like

Code:

*.=debug;kern.none            /var/log/debug

voyciz · 11-22-2009, 09:32 AM

Thank you, centosboy. I apologize for not looking closely at the man page for syslog.conf

OK, so I changed it to

Code:

*.=debug;kern.none               -/var/log/debug

And then did
$ /etc/rc.d/rc.syslog restart

...but I'm having the same problem. Except this time I noticed that what I'm seeing from dmesg is not also in /var/log/debug so it's progress at least. In firewall.conf there is a setting to only store "panic level" messages in the kernel ring buffer (DMESG_PANIC_ONLY=1) but I don't see why these would be considered panic messages...

Maybe I'll just have to switch to a different iptables script? Anyone have some suggestions?

anomie · 11-24-2009, 05:42 PM

Here's the thing: dmesg(1) prints the kernel ring buffer. And iptables messages are kernel-facility messages.

Two options come to mind:

Start viewing $ dmesg | grep -v 'SPT=' and accept that potentially important messages may be rolling out of the buffer; or
Remove the LOG targets from some or all of your iptables chain(s).

voyciz · 11-24-2009, 11:56 PM

Well the only way I could figure out to do it was to install ulogd and then instruct Firehol to use it. Finally that mess is sorted out, been buggin me forever.