FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-15-2008, 03:42 PM
"Digby Tarvin"
 
Default Firewall froth..

My personal system is connected to the Internet via an ADSL router which
doesn't give me any information about what doesn't get through.

However I recently helped a friend setup a Debian box to act as firewall/router
between his cable modem and local LAN, which has given me access to a lot
more detail...

The system is a Debian Etch 40r3 netinstall with Shorewall used to configure
an iptables firewall/router. The hardware has two ethernet interfaces, eth0
connects to the cable modem, eth1 connects to the local lan..

The problem I am having is that the messages from the firewall really
flood /var/log/messages to the point where I am concerned they may cause
me to miss other important things.

My rules file is setup with:
ACCEPT net fw tcp 22
ACCEPT net fw icmp
DROP net fw udp 1026:1029

where the list line was to filter out the most frequent messages, but
I am not really sure what, if any, rejected connections/packets I
should be looking out for, and what should just be ignored...

Perhaps I should redirect the firewall logs to a separate file? Or
just stick my head in the sand and log nothing - which is presumably
the situation with my dsl router..

Here is an example of the last dozen or so messages in the log:
DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0
Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0
Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38
Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38
Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38

Is this normal? Anyone know where all this rejected traffic represents?

Regards,
DigbyT


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-15-2008, 05:23 PM
Brian McKee
 
Default Firewall froth..

On 15-Apr-08, at 11:42 AM, Digby Tarvin wrote:

The problem I am having is that the messages from the firewall really
flood /var/log/messages to the point where I am concerned they may
cause

me to miss other important things.
...
Perhaps I should redirect the firewall logs to a separate file? Or
just stick my head in the sand and log nothing - which is presumably
the situation with my dsl router..



If it's dropped - then the firewall did it's job.
Why look at the results unless you have a problem?
Worry about what's getting through, not what isn't....

Brian
 
Old 04-15-2008, 08:06 PM
"Digby Tarvin"
 
Default Firewall froth..

On Tue, Apr 15, 2008 at 01:23:59PM -0400, Brian McKee wrote:
>
> On 15-Apr-08, at 11:42 AM, Digby Tarvin wrote:
> >The problem I am having is that the messages from the firewall really
> >flood /var/log/messages to the point where I am concerned they may
> >cause
> >me to miss other important things.
> >...
> >Perhaps I should redirect the firewall logs to a separate file? Or
> >just stick my head in the sand and log nothing - which is presumably
> >the situation with my dsl router..
> >
>
> If it's dropped - then the firewall did it's job.
> Why look at the results unless you have a problem?
> Worry about what's getting through, not what isn't....
>
> Brian

Thanks, that's what I was thinking. If anyone can think of a reason
not to extend the
DROP net fw udp 1026:1029
so that logging for all blocked packets is supressed i'd be interested
in hearing it..

Just out of curousity, does anyone know what any of this bogus traffic
to (for example ports 1947 and 1948 are popular at the moment) might be?
Is it common to see this much noise? Is it perhaps undocumented traffic
generated by windows systems that others have connected directly to the
net? Or perhaps malicious traffic targeting vulnerabilities of windows
systems that might be unfirewalled on the net?

Regards,.
DigbyT


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-15-2008, 09:24 PM
Alex Samad
 
Default Firewall froth..

On Tue, Apr 15, 2008 at 08:06:01PM +0000, Digby Tarvin wrote:
> On Tue, Apr 15, 2008 at 01:23:59PM -0400, Brian McKee wrote:
> >
> > On 15-Apr-08, at 11:42 AM, Digby Tarvin wrote:
> > >The problem I am having is that the messages from the firewall really
> > >flood /var/log/messages to the point where I am concerned they may
> > >cause
> > >me to miss other important things.
> > >...
> > >Perhaps I should redirect the firewall logs to a separate file? Or
> > >just stick my head in the sand and log nothing - which is presumably
> > >the situation with my dsl router..
> > >
> >
> > If it's dropped - then the firewall did it's job.
> > Why look at the results unless you have a problem?
> > Worry about what's getting through, not what isn't....
> >
> > Brian
>
> Thanks, that's what I was thinking. If anyone can think of a reason
> not to extend the
> DROP net fw udp 1026:1029
> so that logging for all blocked packets is supressed i'd be interested
> in hearing it..

just be careful with UDP its a connectionless protocol, there for any
UDP streams will not be caught in the state RELATED,ESTABLISHED line,
for example if you block of UDP 53 (DNS)



>
> Just out of curousity, does anyone know what any of this bogus traffic
> to (for example ports 1947 and 1948 are popular at the moment) might be?
> Is it common to see this much noise? Is it perhaps undocumented traffic
> generated by windows systems that others have connected directly to the
> net? Or perhaps malicious traffic targeting vulnerabilities of windows
> systems that might be unfirewalled on the net?
>
> Regards,.
> DigbyT
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"So I don't know where [Bin Laden] is. You know, I just don't spend that much time on him."

- George W. Bush
03/13/2002
Washington, DC
White House Press Conference
 
Old 04-16-2008, 01:27 AM
"Douglas A. Tutty"
 
Default Firewall froth..

On Tue, Apr 15, 2008 at 03:42:54PM +0000, Digby Tarvin wrote:

> where the list line was to filter out the most frequent messages, but
> I am not really sure what, if any, rejected connections/packets I
> should be looking out for, and what should just be ignored...
>
> Perhaps I should redirect the firewall logs to a separate file? Or
> just stick my head in the sand and log nothing - which is presumably
> the situation with my dsl router..

I don't have any incoming ports since I don't offer services to the net,
not even ssh. Therefore, I drop everything coming in and don't log it.
I by default have all ports outgoing closed to and log everything that
shorewall stops. Then I open the ports I need with selected ACCEPT
macros. Then the only things that end up in syslog are ones I need to
see. My logaudit script doesn't filter out shorewall lines so I see
them. I do have console logging turned off so I don't get interrupted.

Doug.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-16-2008, 09:00 AM
Anthony Campbell
 
Default Firewall froth..

On 15 Apr 2008, Digby Tarvin wrote:
>
[snip]
> where the list line was to filter out the most frequent messages, but
> I am not really sure what, if any, rejected connections/packets I
> should be looking out for, and what should just be ignored...
>
> Perhaps I should redirect the firewall logs to a separate file? Or
> just stick my head in the sand and log nothing - which is presumably
> the situation with my dsl router..
>
> Here is an example of the last dozen or so messages in the log:
> DF PROTO=TCP SPT=1739 DPT=2933 WINDOW=65535 RES=0x00 SYN URGP=0
> Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=125.45.93.1 DST=81.105.30.126 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=44567 DF PROTO=TCP SPT=12200 DPT=1080 WINDOW=8192 RES=0x00 SYN URGP=0
> Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=17119 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
> Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=71.156.118.7 DST=81.105.30.126 LEN=48 TOS=0x00 PREC=0x20 TTL=116 ID=18256 DF PROTO=TCP SPT=3968 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
> Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4407 PROTO=UDP SPT=8184 DPT=2933 LEN=38
> Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4409 PROTO=UDP SPT=8184 DPT=2933 LEN=38
> Shorewall:net2allROP:IN=eth0 OUT= MAC=00:02:a5:f7:47:a8:00:0b:bf:51:60:01:08:00 SRC=88.109.202.188 DST=81.105.30.126 LEN=58 TOS=0x00 PREC=0x00 TTL=119 ID=4410 PROTO=UDP SPT=8184 DPT=2933 LEN=38
>
> Is this normal? Anyone know where all this rejected traffic represents?
>

You can prevent this stuff appearing by inserting "klogd -c5" to
/etc/init.d/klogd. See /www.shorewall.net/FAQ.htm.

"FAQ 16) Shorewall is writing log messages all over my console making it unusable!

Answer:

Just to be clear, it is not Shorewall that is writing all over your
console. Shorewall issues a single log message during each start,
restart, stop, etc. It is rather the klogd daemon that is writing
messages to your console. Shorewall itself has no control over where a
particular class of messages are written. See the Shorewall logging
documentation.

*

Find where klogd is being started (it will be from one of the
files in /etc/init.d -- sysklogd, klogd, ...). Modify that file or
the appropriate configuration file so that klogd is started with
“-c <n> ” where <n> is a log level of 5 or less; and/or
*

See the “dmesg” man page (“man dmesg”). You must add a suitable
“dmesg” command to your startup scripts or place it in
/etc/shorewall/start."

Anthony

--
Anthony Campbell - ac@acampbell.org.uk
Microsoft-free zone - Using Debian GNU/Linux
http://www.acampbell.org.uk (blog, book reviews,
on-line books and sceptical articles)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-16-2008, 03:10 PM
Jon
 
Default Firewall froth..

On Wed, Apr 16, 2008 at 10:00:37AM +0100, Anthony Campbell wrote:

> You can prevent this stuff appearing by inserting "klogd -c5" to
> /etc/init.d/klogd. See /www.shorewall.net/FAQ.htm.

It's better to modify /etc/default/klogd.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-16-2008, 03:44 PM
Anthony Campbell
 
Default Firewall froth..

On 17 Apr 2008, Jon wrote:
> On Wed, Apr 16, 2008 at 10:00:37AM +0100, Anthony Campbell wrote:
>
> > You can prevent this stuff appearing by inserting "klogd -c5" to
> > /etc/init.d/klogd. See /www.shorewall.net/FAQ.htm.
>
> It's better to modify /etc/default/klogd.
>
>

Looking at that, I see:

# Use KLOGD="-k /boot/System.map-$(uname -r)" to specify System.map
# -c 4 to alter the kernel console log level (deprecated)
# use sysctl instead
#

So I looked at /etc/sysctl.conf and found:


# Uncomment the following to stop low-level messages on console
kernel.printk = 4 4 1 7


I suppose this will do what is wanted. Mine is uncommented, which is
presmuably why I am not getting these unwanted effects.

Anthony


--
Anthony Campbell - ac@acampbell.org.uk
Microsoft-free zone - Using Debian GNU/Linux
http://www.acampbell.org.uk (blog, book reviews,
on-line books and sceptical articles)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 05:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org