Hi All,
I have had a read over the archive and there are some posts regarding
syslog-ng but I haven''t been able to find the solution with dmesg
logging.
My firewall is a Leaf Bering-uClibc 4.0 OS.
I would like to just stop shorewall/netfilter/whatever from logging to
dmesg.
firewall# dmesg
<snip> pages and pages
[8575826.113431] Shorewall:net2loc:DROP:IN=eth0 OUT=bond0 SRC=202.95.202.5
DST=202.45.102.32 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=34054 DF PROTO=TCP
SPT=58014 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
[8575826.129915] Shorewall:net2loc:DROP:IN=eth0 OUT=bond0 SRC=203.100.58.40
DST=202.45.102.58 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=27688 DF PROTO=TCP
SPT=15937 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
[8575826.413762] Shorewall:net2loc:DROP:IN=eth0 OUT=bond0 SRC=203.100.58.40
DST=202.45.102.58 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=37183 DF PROTO=TCP
SPT=19367 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
[8575828.325965] Shorewall:net2loc:DROP:IN=eth0 OUT=bond0 SRC=203.100.58.40
DST=202.45.102.58 LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=5265 DF PROTO=TCP
SPT=20438 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
I have syslog-ng logging to /var/log/shorewall.log
firewall# cat syslog-ng.conf
#
# Configuration file for syslog-ng under Debian
#
# attempts at reproducing default syslog behavior
# the standard syslog levels are (in descending order of priority):
# emerg alert crit err warning notice info debug
# the aliases "error", "panic", and "warn" are
deprecated
# the "none" priority found in the original syslogd configuration is
# only used in internal messages created by syslogd
######
# options
options {
# disable the chained hostname format in logs
# (default is enabled)
chain_hostnames(0);
# the time to wait before a died connection is re-established
# (default is 60)
time_reopen(10);
# the time to wait before an idle destination file is closed
# (default is 60)
time_reap(360);
# the number of lines buffered before written to file
# you might want to increase this if your disk isn''t catching
with
# all the log messages you get or if you want less disk activity
# (say on a laptop)
# (default is 0)
#sync(0);
# the number of lines fitting in the output queue
log_fifo_size(2048);
# enable or disable directory creation for destination files
create_dirs(yes);
# default owner, group, and permissions for log files
# (defaults are 0, 0, 0600)
#owner(root);
group(adm);
perm(0640);
# default owner, group, and permissions for created directories
# (defaults are 0, 0, 0700)
#dir_owner(root);
#dir_group(root);
dir_perm(0755);
# enable or disable DNS usage
# syslog-ng blocks on DNS queries, so enabling DNS may lead to
# a Denial of Service attack
# (default is yes)
use_dns(no);
# maximum length of message in bytes
# this is only limited by the program listening on the /dev/log Unix
# socket, glibc can handle arbitrary length log messages, but -- for
# example -- syslogd accepts only 1024 bytes
# (default is 2048)
#log_msg_size(2048);
# STATS interval
stats (10800);
};
######
# sources
# all known message sources
source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the
syslog()
# function to send logs to)
unix-stream("/dev/log" max_connections(2000));
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging
messages
# (this is equivalent to the "-r" syslogd flag)
# udp();
};
######
# destinations
# some standard log files
destination df_auth { file("/var/log/auth.log"); };
destination df_syslog { file("/var/log/syslog"); };
destination df_cron { file("/var/log/cron.log"); };
destination df_daemon { file("/var/log/daemon.log"); };
destination df_kern { file("/var/log/kern.log"); };
destination df_lpr { file("/var/log/lpr.log"); };
destination df_mail { file("/var/log/mail.log"); };
destination df_user { file("/var/log/user.log"); };
destination df_ppp { file("/var/log/ppp.log"); };
# these files are meant for the mail system log files
# and provide re-usable destinations for {mail,cron,...}.info,
# {mail,cron,...}.notice, etc.
destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
destination df_facility_dot_notice {
file("/var/log/$FACILITY.notice"); };
destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };
# these files are meant for the news system, and are kept separated
# because they should be owned by "news" instead of "root"
destination df_news_dot_notice { file("/var/log/news/news.notice"
owner("news")); };
destination df_news_dot_err { file("/var/log/news/news.err"
owner("news"));
};
destination df_news_dot_crit { file("/var/log/news/news.crit"
owner("news")); };
# separate files for Shorewall and Shorewall6 iptables logs
destination df_shorewall { file("/var/log/shorewall.log"); };
destination df_shorewall6 { file("/var/log/shorewall6.log"); };
# some more classical and useful files found in standard syslog
configurations
destination df_debug { file("/var/log/debug"); };
destination df_messages { file("/var/log/messages"); };
# consoles
# this will send messages to everyone logged in
#destination du_all { usertty("*"); };
######
# filters
# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };
# all messages except from the cron, daemon, auth and authpriv facilities
filter f_syslog { not facility(auth, authpriv, cron, daemon); };
# respectively: messages from the cron, daemon, kern, lpr, mail, news, and
# user facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
#filter for ppp/pptp
filter f_ppp { program(ppp) or program(pptp) or program(pptpd); };
# some filters to select messages of priority greater or equal to info,
warn,
# and err
# (equivalents of syslogd''s *.info, *.warn, and *.err)
filter f_at_least_info { level(info..emerg); };
filter f_at_least_notice { level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg); };
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg); };
# all messages of priority debug not coming from the auth, authpriv, news,
and
# mail facilities
filter f_debug { level(debug) and not facility(auth, authpriv, news, mail);
};
# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mail,news);
};
# messages with priority emerg
filter f_emerg { level(emerg); };
# filters for Shorewall and Shorewall6 iptables logs
# check for IPv4-style SRC address e.g. SRC=192.
filter f_shorewall { match("Shorewall:.*SRC=[[:digit:]]*\\."); };
# check for IPv6-style SRC address e.g. SRC=2a01:
filter f_shorewall6 { match("Shorewall:.*SRC=[[:xdigit:]]*:"); };
######
# logs
# order matters if you use "flags(final);" to mark the end of
processing in
a
# "log" statement
# logs for Shorewall and Shorewall6 iptables logs
# first in the list and using "flags(final);" to avoid repeated
entries in
# syslog, kern.log, messages
log {
source(s_all);
filter(f_shorewall);
destination(df_shorewall);
flags(final);
};
log {
source(s_all);
filter(f_shorewall6);
destination(df_shorewall6);
flags(final);
};
# log ppp messages to /var/log/ppp.log
# stop -> do not log to syslog as well
log {
source(s_all);
filter(f_ppp);
destination(df_ppp);
flags(final);
};
# auth,authpriv.* /var/log/auth.log
log {
source(s_all);
filter(f_auth);
destination(df_auth);
flags(final);
};
# this is commented out in the default syslog.conf
# cron.* /var/log/cron.log
log {
source(s_all);
filter(f_cron);
filter(f_at_least_info);
destination(df_cron);
};
# daemon.* -/var/log/daemon.log
log {
source(s_all);
filter(f_daemon);
filter(f_at_least_info);
destination(df_daemon);
};
# *.*;auth,authpriv.none -/var/log/syslog
log {
source(s_all);
filter(f_syslog);
filter(f_at_least_info);
destination(df_syslog);
};
# kern.* -/var/log/kern.log
log {
source(s_all);
filter(f_kern);
destination(df_kern);
};
# lpr.* -/var/log/lpr.log
log {
source(s_all);
filter(f_lpr);
filter(f_at_least_info);
destination(df_lpr);
};
# mail.* -/var/log/mail.log
#log {
# source(s_all);
# filter(f_mail);
# destination(df_mail);
#};
# user.* -/var/log/user.log
log {
source(s_all);
filter(f_user);
destination(df_user);
};
# mail.info -/var/log/mail.info
log {
source(s_all);
filter(f_mail);
filter(f_at_least_info);
destination(df_facility_dot_info);
};
# mail.warn -/var/log/mail.warn
log {
source(s_all);
filter(f_mail);
filter(f_at_least_warn);
destination(df_facility_dot_warn);
};
# mail.err /var/log/mail.err
log {
source(s_all);
filter(f_mail);
filter(f_at_least_err);
destination(df_facility_dot_err);
};
# news.crit /var/log/news/news.crit
log {
source(s_all);
filter(f_news);
filter(f_at_least_crit);
destination(df_news_dot_crit);
};
# news.err /var/log/news/news.err
log {
source(s_all);
filter(f_news);
filter(f_at_least_err);
destination(df_news_dot_err);
};
# news.notice /var/log/news/news.notice
log {
source(s_all);
filter(f_news);
filter(f_at_least_notice);
destination(df_news_dot_notice);
};
# *.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
log {
source(s_all);
filter(f_debug);
destination(df_debug);
};
# *.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
log {
source(s_all);
filter(f_messages);
destination(df_messages);
};
firewall#
I have included the basics of my setup.
firewall# shorewall version
4.4.15.3
firewall# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN
link/ether 12:cc:f0:af:ec:5d brd ff:ff:ff:ff:ff:ff
3: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP
link/ether 00:30:48:93:c1:32 brd ff:ff:ff:ff:ff:ff
inet 202.45.102.1/25 brd 202.45.102.127 scope global bond0
inet 210.15.229.1/24 brd 210.15.229.225 scope global bond0:0
inet 192.168.1.1/24 brd 192.168.1.225 scope global bond0:1
inet 103.29.172.1/24 brd 103.29.172.255 scope global bond0:2
inet 103.29.173.1/24 brd 103.29.173.255 scope global bond0:3
inet 103.29.174.1/24 brd 103.29.174.255 scope global bond0:4
inet 103.29.175.1/24 brd 103.29.175.255 scope global bond0:5
inet 202.45.102.6/25 brd 202.45.102.127 scope global secondary bond0
inet 202.45.102.7/25 brd 202.45.102.127 scope global secondary bond0
inet6 fe80::230:48ff:fe93:c132/64 scope link
valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:0e:0c:bc:8b:1f brd ff:ff:ff:ff:ff:ff
inet 202.45.103.86/30 brd 202.45.103.87 scope global eth0
inet6 fe80::20e:cff:febc:8b1f/64 scope link
valid_lft forever preferred_lft forever
5: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master bond0 state UP qlen 1000
link/ether 00:30:48:93:c1:32 brd ff:ff:ff:ff:ff:ff
6: eth2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master bond0 state UP qlen 1000
link/ether 00:30:48:93:c1:32 brd ff:ff:ff:ff:ff:ff
106: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN
qlen 10
link/ether 00:0e:0c:bc:8b:1f brd ff:ff:ff:ff:ff:ff
inet 202.45.103.86/30 brd 202.45.103.87 scope global ipsec0
inet6 fe80::20e:cff:febc:8b1f/64 scope link
valid_lft forever preferred_lft forever
107: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/void
108: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/none
firewall# ip route show
192.168.30.30 via 202.45.103.85 dev ipsec0
144.55.124.122 via 202.45.103.85 dev ipsec0
172.27.130.1 via 202.45.103.85 dev ipsec0
144.55.123.63 via 202.45.103.85 dev ipsec0
144.55.123.187 via 202.45.103.85 dev ipsec0
202.45.103.84/30 dev eth0 proto kernel scope link src 202.45.103.86
202.45.103.84/30 dev ipsec0 proto kernel scope link src 202.45.103.86
202.45.102.0/25 dev bond0 proto kernel scope link src 202.45.102.1
210.15.229.0/24 dev bond0 proto kernel scope link src 210.15.229.1
192.168.1.0/24 dev bond0 proto kernel scope link src 192.168.1.1
103.29.174.0/24 dev bond0 proto kernel scope link src 103.29.174.1
103.29.175.0/24 dev bond0 proto kernel scope link src 103.29.175.1
103.29.172.0/24 dev bond0 proto kernel scope link src 103.29.172.1
103.29.173.0/24 dev bond0 proto kernel scope link src 103.29.173.1
default via 202.45.103.85 dev eth0
------------------------------------------------------------------------------
EMC VNX: the world''s simplest storage, starting under $10K
The only unified storage solution that offers unified management
Up to 160% more powerful than alternatives and 25% more efficient.
Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev