Hello Jay just to clarify things the Error message in the firewall, just indicates that the number of logged Firewall packets is greater than the Error warn level. You can set this in the weblet configuration file : The default settings are <screen> # Firewall thresholds: deny/reject messages WRN_FW=5 ERR_FW=50 </screen< after 5 logged packets the status is warn, after 50 it is error The log files are rotated once a day and after this the firewall is again in status ok. You can change this settings.
If you have to worry about a number of logged packets or not depends on the source and the kind of packets. > I have, they are all looking at port 53 This could have several reasons, there was a thread for some time about useing 53 for loadbalancing. It could also be a wrong configured computer on the inside. > > > It says: '146 denied or rejected packets' > Yes. but the firewall weblet says error after only 146. I've done port scans > before and got this to say 3200 before the weblet said error. > The weblet error level is default 50. The reason you got different values after "turning red" is: The amount logged packets is checked if you show the index page. Now if you let your browser stand at this screen the next time the packets are counted is after the refresh time. (oops there is none :() or if you press the refresh button on your browser. So if you are portscanning you got 1 packet = green After some time you reload the page and now the number of packets is over the treshold of 50 (independent from how much) During portscanning there are a lot of packets showing up). I guess , I have to include the refresh in the index page ;) The space on /var/log is not tested yet and has got nothing to do with the firewall level, in the next version it will be checked in the diskspace. > > BTW, if you are portscanning the firewall from outside, this is normal! > I wasn't at the time, if i do a external portscan, it lasts alot longer > (usually around the 3000 mark) before going to error status.. > > Confused.. > > > ----- Original Message ----- > From: "Luis.F.Correia" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, September 16, 2002 6:07 PM > Subject: RE: [leaf-user] Bering-rc3: Weblet says Error for Firewall - yet > Weblet says /var/log only used 6% > > > > You should check the /var/log/messages file > > > > You'll find the offencidg packets. > > > > BTW, if you are portscanning the firewall from outside, this is normal! > > The firewall logs EVERY 'invalid' packet. As you can see from below, > > It says: '146 denied or rejected packets' > > > > That's it! > > > > -----Original Message----- > > From: Jay Langford [mailto:[EMAIL PROTECTED]] > > Sent: Monday, September 16, 2002 6:49 AM > > To: [EMAIL PROTECTED] > > Subject: [leaf-user] Bering-rc3: Weblet says Error for Firewall - yet > Weblet > > says /var/log only used 6% > > > > > > Hi EveryOne! > > > > I've got the following setup: > > Bering-rc3 > > shorwall-1.3.7b > > *Single Floppy Setup > > > > On the following hardware: > > P166Mhz > > 64MB RAM > > 1.44MB Floppy > > 64K ISDN Ext. Modem (Serial) > > > > I've just got the basic rules as per the setup in the installation guide > > > > > > ** Weblet says the following re: Firewall > > -------------------------------------------- > > firewall Firewall Status: error > > You have 146 denied or rejected packets in your recent packet logs. > > -------------------------------------------- > > > I've seen this cranked up as far as 3200 (Note: This was after a > > > series of > > portscans to check the firewall) > > > > > > ** Weblet says the following about my RAM disk. > > --------------------------------------------------- > > Filesystem 1k-blocks Used Available Use% Mounted > > on > > /dev/root 6144 3256 2888 53% / > > tmpfs 15292 4 15288 0% > > /tmp > > tmpfs 2048 124 1924 6% > > /var/log > > -------------------------------------------------- > > > > Does anyone know what i should be checking? or if i should be running over > > to the wall and unplugging the phone cord? > > > > Thanks!! > > > > ~Jay > > Eric Wolzak member of the bering crew ------------------------------------------------------- This SF.NET email is sponsored by: AMD - Your access to the experts on Hammer Technology! Open Source & Linux Developers, register now for the AMD Developer Symposium. Code: EX8664 http://www.developwithamd.com/developerlab ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
