Re: Don't display firewall messages to screen

Tue, 10 Sep 2002 07:24:41 -0700 

On Mon, 09 Sep 2002 20:58:48 -0700
Stephen Rasku <[EMAIL PROTECTED]> wrote:

> On Saturday 07 September 2002 07:38 pm, Robert Canary wrote:
> > try adding
> > *.debug             /var/log/debug.log
> 
> I tried that.  It logs the firewall messages (plus some other
> things) to that file.  But it still logs to /var/log/messages and it
> still logs to the screen.  I don't actually want it to any
> additional places.  I just want it to stop logging to the screen.
> 
> > it is hard to tell which facility to capture, but since you have
> > debuggibg turned on I am guessing it should be in the .debug sub
> > facility.
> 
> From this firewall message:
> Sep  9 19:27:08 hostname kernel: Dropped: IN=eth0 OUT= 
> MAC=00:05:xx:xx:xx:xx:00:00:77:95:6e:c6:08:00 SRC=24.68.18.131 
> DST=xx.xx.xx.xx LEN=78 TOS=0x00 PREC=0x00 TTL=125 ID=5039 PROTO=UDP
> SPT=137 DPT=137 LEN=58
> 
> It appears that it is the kernel facility that is being logged. 
> This makes sense since it's a kernel module that does the filtering.
> 
> From this portion of my "iptables -L" command
> 
> LOG        all  --  anywhere             anywhere           LOG
> level warning prefix `Dropped:
> 
> it appears that it's logging with a priority of 'warning'.  When I
> wrote that I was "debugging" my firewall, I was trying to figure out
> why it isn't working.  For the time being, I am assuming it is
> because of an incorrect firewall rule.  I added a rule to display
> every received packet so I can see what is being received and what
> is being dropped.  I didn't actually modify syslog.conf to log any
> facilities at the debug level to do this.
> 
> >
> > You might want to try creating a log file local1 thru local7
> 
> I don't think this will make any difference since the firewall rules
> seem to be logging using the kernel facility.
> 
> ...Stephen
> 
> 
  I run ipchains, so am not up on the syntax or options for iptables. 
  In syslog if you only specify a single priority in a selector
(without modifiers) you're specifying THAT priority and all HIGHER
priorities. Might it be that your 'LOG level warning' in the iptables
rules is being interpreted as *.warn to syslog and, since it is a
single priority, gets broadcast to everyone because of the line in 
/etc/syslog.conf :
   *.emerg                    *

As a test, just to see if the screen messages disappear, you could
comment out the above line and restart syslog.  If they do, you might
try changing the syntax in your iptable rule to read 'LOG
level=warning'. The = limits the priority level to warning only -
nothing higher.

                                          Best,

                                          Tom



-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to