Stange kernel warnings IN=eth1 OUT= MAC=00:80:c8:4c:0e:.....

[humbletech99]

I've got these strange warnings in my firewall logs. They are logged with a priority of warning and a facility of kernel; I just don't know why or what they are and why am I getting a warning, they look just like packet traffic...

Code:

kernel: IN=eth1 OUT= MAC=00:00:c8:4c:00:d1:00:10:7b:c1:c7:a1:08:00 SRC=195.128.48.63 DST=82.154.253.87 LEN=51 TOS=0x00 PREC=0x00 TTL=111 ID=63193 PROTO=UDP SPT=4067 DPT=6346 LEN=31

[Sykotik]

That's output from iptables' LOG target, so I'd say that your firewall setup is simply logging packets that it drops to the kernel log.

[humbletech99]

how do I stop this extraneous logging, it's polluting the logs and distracting from more important logs like failed password attempts. I've set the syslog to not report anything below error level so I don't get these, but it feels like covering up the sympton rather than finding and fixing the cause.

[Sykotik]

Well, I don't know which distro/firewall tool you're using, so I'm not sure how you'd go about this. Assuming you have some script that sets up your firewall for you, you'd be looking for something like:

Code:

iptables -A INPUT -i eth0 -j LOG

The "-j LOG" is the part that specifies that packets matching the rule should go to syslog. You'll want to remove (or comment) that line.

If you're using a wrapper tool to manage your firewall (such as Shorewall and co.), I'm not sure how you'd go about it.

[humbletech99]

thanks for that, I'll have a look...

[root_slack]

is there any option to convert that DST ipaddres into its FQDN , in other words display the actual FQDN , rather then the ipaddress

[Sykotik]

is there any option to convert that DST ipaddres into its FQDN , in other words display the actual FQDN , rather then the ipaddress

Not as far as I know. I wouldn't think so, since that would mean a reverse lookup for every packet logged from a different IP; not really something you want to have your syslogger held up by for every unique destination IP.

On another note, just a friendly warning that what you've just done (asking a different, unrelated question on someone else's thread) may be considered thread hijacking, which is against the forum rules.