Results 1 to 7 of 7
I've got these strange warnings in my firewall logs. They are logged with a priority of warning and a facility of kernel; I just don't know why or what they ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 05-23-2006 #1Linux Newbie
- Join Date
- Nov 2005
- Posts
- 225
Stange kernel warnings IN=eth1 OUT= MAC=00:80:c8:4c:0e:.....
I've got these strange warnings in my firewall logs. They are logged with a priority of warning and a facility of kernel; I just don't know why or what they are and why am I getting a warning, they look just like packet traffic...
Code:kernel: IN=eth1 OUT= MAC=00:00:c8:4c:00:d1:00:10:7b:c1:c7:a1:08:00 SRC=195.128.48.63 DST=82.154.253.87 LEN=51 TOS=0x00 PREC=0x00 TTL=111 ID=63193 PROTO=UDP SPT=4067 DPT=6346 LEN=31
- 05-23-2006 #2Just Joined!
- Join Date
- Mar 2002
- Location
- Cape Town, South Africa
- Posts
- 54
That's output from iptables' LOG target, so I'd say that your firewall setup is simply logging packets that it drops to the kernel log.
- 05-23-2006 #3Linux Newbie
- Join Date
- Nov 2005
- Posts
- 225
how do I stop this extraneous logging, it's polluting the logs and distracting from more important logs like failed password attempts. I've set the syslog to not report anything below error level so I don't get these, but it feels like covering up the sympton rather than finding and fixing the cause.
- 05-23-2006 #4Just Joined!
- Join Date
- Mar 2002
- Location
- Cape Town, South Africa
- Posts
- 54
Well, I don't know which distro/firewall tool you're using, so I'm not sure how you'd go about this. Assuming you have some script that sets up your firewall for you, you'd be looking for something like:
The "-j LOG" is the part that specifies that packets matching the rule should go to syslog. You'll want to remove (or comment) that line.Code:iptables -A INPUT -i eth0 -j LOG
If you're using a wrapper tool to manage your firewall (such as Shorewall and co.), I'm not sure how you'd go about it.
- 05-23-2006 #5Linux Newbie
- Join Date
- Nov 2005
- Posts
- 225
thanks for that, I'll have a look...
- 05-23-2006 #6Just Joined!
- Join Date
- May 2006
- Posts
- 2
is there any option to convert that DST ipaddres into its FQDN , in other words display the actual FQDN , rather then the ipaddress
- 05-23-2006 #7Just Joined!
- Join Date
- Mar 2002
- Location
- Cape Town, South Africa
- Posts
- 54
Not as far as I know. I wouldn't think so, since that would mean a reverse lookup for every packet logged from a different IP; not really something you want to have your syslogger held up by for every unique destination IP.
Originally Posted by root_slack
On another note, just a friendly warning that what you've just done (asking a different, unrelated question on someone else's thread) may be considered thread hijacking, which is against the forum rules.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
