??? Whats going down in /var/log/messages

[e_lub0]

Hi,

I have recently changed my connection to the net from cable to dial-up [Sigh!] i have also changed address and ISP, Since the move I have been seeing my logs filling up with a whole load messages, Example,:

Oct 18 03:41:12 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xxx.33.111.35 DST=xx.xxx.14.29 LEN=60 TOS=0x00 PREC=0x00 TTL=48 ID=6699
DF PROTO=TCP SPT=59243 DPT=1080 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Oct 18 03:43:33 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xxx.xx.xx9 DST=xx.xxx.xx.xx9 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48132 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
Oct 18 03:43:34 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xxx.xx.xx DST=xx.xxx.1xx,xx LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48297 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0
Oct 18 03:43:37 localhost kernel: gShield (default drop) IN=ppp0 OUT= MAC= SRC=xx.xx.xx0.xx9 DST=xx.xxx.xx.xx LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=48498 DF PROTO=TCP SPT=2363 DPT=135 WINDOW=8760 RES=0x00 SYN URGP=0

these messages are seriously filling my log files to the point of AAAAAAAaaaaaaaaaaaaaaaaahhhhh!!!!

Can I block them ? ? ? ?

I am being bombarded with DPT=135 hits to the point of a cat of this file takes around a minute to complete...

Also [ less dubious ]
Oct 18 02:31:39 localhost kernel: martian source xxx.xxx.xx.xx from 127.0.0.1, on dev ppp0
Oct 18 02:31:39 localhost kernel: ll header: 45:08:00:28
Oct 18 02:31:39 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
Oct 18 02:31:39 localhost kernel: ll header: 45:08:00:28
Oct 18 02:31:55 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
Oct 18 02:31:55 localhost kernel: ll header: 45:08:00:28
Oct 18 02:31:55 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0
Oct 18 02:31:55 localhost kernel: ll header: 45:08:00:28
Oct 18 02:32:12 localhost kernel: martian source xxx.122.18.79 from 127.0.0.1, on dev ppp0

the source ip address on these hits [localhost hits] are always my own ip ? ?

Anything I can do ?


All help is much appreciated.

[kriss]

are you running some sort of iptables scripts that won't work due to dialup?

Also, have you looked at the syslogd config file?

[e_lub0]

Hi Kriss, I have recently changed from cable to dial-up, I replaced my script and was using firestarter. But I am no guru when it comes to iptables scripts. I will look over my FW script [gshield] and will check as this is the first feasible explanation I have had from any forum. Thanks. Also here is a copy of my syslog.conf, can I create a new directory/files and redirect some of the messages to ease /var/log/messages


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* /var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice


Thank you in advance.

[kriss]

kern.* -/var/log/iptableslog

try to put that in the file, restart syslogd and see if this happens.

As previously said, I might be wrong so don't kill me if it don't work

[e_lub0]

Hi, well I edited the syslog.conf file in the manner you said, and I now have the messages being written to /var/log/iptableslog as well as /var/log/messages ????.

Also I installed gShield FW, and I now have the situation where if I flush my iptables rules I cannot access the internet [ even though OUTPUT is set to ACCEPT ? ] How can I remove this FW from my system and stop all this shenanigans ??

Thank you in advance

[kriss]

What gets written to iptableslog? Can you give me a small sample? Does the same stuff get written in messages as well?

I don't know much about the FW stuff, so some other than me have to answer on that one.