Hi everyone, this might be a little OT but maybe someone of you has an idea already before I move over to the netfilter mailing list. One of my Shorewall installations (actually a system behind that firewall) was attacked by a bunch of systems spoofing up to 290 IP''s (all from Korea). Each machine was sending a constant stream of UDP packets (8k more or less). As a result for one hour I was hit by 7Mbytes/sec. All those packets were dropped. The only problem (beside the fact that one of the 155 MBit lines was completely clobbered up with) was logging. As it looks like once or twice in one second log entries are corrupted and some seem to be missing. What I wondering about: Is there any way to buffer log entries so they are not written one by one ? Axel Westerhold
Axel@congos-tools.com wrote:> Hi everyone, > > > > this might be a little OT but maybe someone of you has an idea already > before I move over to the netfilter mailing list. > >Have you looked at the current thread on this list with subject "ULOG thresholding and Shorewall"? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Yep, just saw it. So ULOG might be an option. I''ll have a look into it. Thanks, Axel -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Donnerstag, 15. April 2004 19:34 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Logging problems Axel@congos-tools.com wrote:> Hi everyone, > > > > this might be a little OT but maybe someone of you has an idea already > before I move over to the netfilter mailing list. > >Have you looked at the current thread on this list with subject "ULOG thresholding and Shorewall"? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Axel@congos-tools.com wrote:> Hi everyone,> > As a result for one hour I was hit by 7Mbytes/sec. All those packets > were dropped. The only problem (beside the fact that one of the 155 MBit > lines was completely clobbered up with) was logging. As it looks like > once or twice in one second log entries are corrupted and some seem to > be missing. >The other thing you could consider is setting LOGRATE and LOGBURST in shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> Hi everyone, > > > > this might be a little OT but maybe someone of you has an idea already > before I move over to the netfilter mailing list. > > > > One of my Shorewall installations (actually a system behind that > firewall) was attacked by a bunch of systems spoofing up to 290 IP''s > (all from Korea). Each machine was sending a constant stream of UDP > packets (8k more or less). > > > > As a result for one hour I was hit by 7Mbytes/sec. All those packets > were dropped. The only problem (beside the fact that one of the 155 MBit > lines was completely clobbered up with) was logging. As it looks like > once or twice in one second log entries are corrupted and some seem to > be missing. > > > > What I wondering about: > > > > Is there any way to buffer log entries so they are not written one by > one ?I don''t know but changing syslog to async mode by prefixing the entry with ''-'' in syslog.conf might help. Simon> > > > Axel Westerhold > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >