> The problem is that her logfiles fill up almost instantly with > junk like this: > > myrouter kernel: Packet log: input DENY eth0 PROTO=2 10.100.80.208:65535 > 239.255.255.250:65535 L=32 S=0x00 I=7688 F=0x0000 T=1 O=0x00000494 (#43) > > But not just from one IP address. Instead she gets these from practically > every 10.100.x.x IP available. > > Clearly everyone in her provider's subnet is pushing out packet fragments, > or somehow their network is leaving packet fragments out there. > > These are being caught by rule 43, which is a catchall I think. I also > admit to not really being sure which freaking rule is rule #43, I mean I > look through the config, and I am not really sure how to count them.
Handy trick: ipchains -vnL --line-numbers > SO is there any way to stop logging all of these packet fragments? You can probably make do with a silent-deny entry. If the log entries look the same except for the IP, these are all multi-cast IGMP messages, which you should be safely able to ignore. Your silent-deny entry should look something like: SILENT_DENY="2_10.100.0.0/16" Note that there is no port entry, since IGMP doesn't have port numbers. The above entry will silently drop all protocol 2 packets from 10.100.x.x into the "bit bucket"...no more overflowing logs. If the SILENT_DENY entry above doesn't work, or isn't flexible enough to cover all the packets you need to filter (I suspect more items you want to deny w/o logging will turn up once there's a little less "noise" in your log files), you can add custom rules to the /etc/ipchains.input file to match virtually any packet type you want. The basic rule would be: $IPCH -I input -j DENY <packet specification> This inserts a deny rule (-j DENY) at the top of the input chain (-I input), so matching packets will be filtered w/o logging (no -l flag) prior to hitting the "main" input rules. Add protocol specifiers, source/destination IP/port, etc to match the packets you need to block. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
