My log file fills up quickly and I see many repeated rejection similar to this one: May 15 07:56:04 firewall kernel: Shorewall:all2all:REJECT:IN=eth1 OUTMAC=00:50:04:e1:35:50:00:b0:d0:91:63:d3:08:00 SRC=192.168.0.59 DST=192.168.0.2 LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=53608 PROTO=UDP SPT=1087 DPT=1900 LEN=140 I couldn''t find anything in the documentation on how to read the log. Can someone please point me in the right direction? Also, is there a way I can have the system email me the logs when it''s full? I am using the bering distribution. Thanks, __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com
On Wed, 15 May 2002, Dragon Wood wrote:> My log file fills up quickly and I see many repeated > rejection similar to this one: > > May 15 07:56:04 firewall kernel: > Shorewall:all2all:REJECT:IN=eth1 OUT> MAC=00:50:04:e1:35:50:00:b0:d0:91:63:d3:08:00 > SRC=192.168.0.59 DST=192.168.0.2 LEN=160 TOS=0x00 > PREC=0x00 TTL=128 ID=53608 PROTO=UDP SPT=1087 DPT=1900 > LEN=140 > > I couldn''t find anything in the documentation on how > to read the log.So is the "Troubleshooting" topic on the Shorewall Home Page too obscure?> Can someone please point me in the > right direction?Search the mailing list archives for UPNP.> > Also, is there a way I can have the system email me > the logs when it''s full? I am using the bering > distribution. >That''s OT on this list. Try the Leaf users mailing list. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I had the same problem and did a little internet research on port 1900. Apparently windows XP machines have a problem sending out lots of plug and play information on port 1900. The first 6 bits of the MAC =3D line is the destination address of the ethernet adapter. This is the mac address of the adapter hooked to your internal network on your firewall. Most likely eth1 in your case. The the next 6 bits of the MAC=3D line is the source address. This is the machine that is sending thousands of upd packets to your firewall. Find the machine that has a nic with a mac address of 00:B0:D0:91:63:D3. It will be a windows machine. There are several options to fix this problem. You can fix the windows machine that is sending out the garbage. I chose not to mess with windows. I simply wrote a rule to drop all packets. In /etc/shorewall/rules DROP loc fw udp 1900 That should solve your problem and stop filling up your logs. -- Joe -----Original Message----- From: Dragon Wood [mailto:jmyching@yahoo.com] Sent: Wednesday, May 15, 2002 12:12 PM To: shorewall-users@shorewall.net Subject: [Shorewall-users] Question about shorewall log files My log file fills up quickly and I see many repeated rejection similar to this one: May 15 07:56:04 firewall kernel: Shorewall:all2all:REJECT:IN=3Deth1 OUT=3D MAC=3D00:50:04:e1:35:50:00:b0:d0:91:63:d3:08:00 SRC=3D192.168.0.59 DST=3D192.168.0.2 LEN=3D160 TOS=3D0x00 PREC=3D0x00 TTL=3D128 ID=3D53608 PROTO=3DUDP SPT=3D1087 DPT=3D1900 LEN=3D140 I couldn''t find anything in the documentation on how to read the log. Can someone please point me in the right direction? Also, is there a way I can have the system email me the logs when it''s full? I am using the bering distribution. Thanks, =20 __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
I had the same problem and did a little internet research on port 1900. Apparently windows XP machines have a problem sending out lots of plug and play information on port 1900. The first 6 bits of the MAC = line is the destination address of the ethernet adapter. This is the mac address of the adapter hooked to your internal network on your firewall. Most likely eth1 in your case. The the next 6 bits of the MAC= line is the source address. This is the machine that is sending thousands of upd packets to your firewall. Find the machine that has a nic with a mac address of 00:B0:D0:91:63:D3. It will be a windows machine. There are several options to fix this problem. You can fix the windows machine that is sending out the garbage. I chose not to mess with windows. I simply wrote a rule to drop all packets. In /etc/shorewall/rules DROP loc fw udp 1900 That should solve your problem and stop filling up your logs. -- Joe My log file fills up quickly and I see many repeated rejection similar to this one: May 15 07:56:04 firewall kernel: Shorewall:all2all:REJECT:IN=eth1 OUTMAC=00:50:04:e1:35:50:00:b0:d0:91:63:d3:08:00 SRC=192.168.0.59 DST=192.168.0.2 LEN=160 TOS=0x00 PREC=0x00 TTL=128 ID=53608 PROTO=UDP SPT=1087 DPT=1900 LEN=140 I couldn''t find anything in the documentation on how to read the log. Can someone please point me in the right direction? Also, is there a way I can have the system email me the logs when it''s full? I am using the bering distribution. Thanks,
On Thu, 16 May 2002, Copeland, Joe wrote:> I simply wrote a rule to drop all packets. In > /etc/shorewall/rules > > DROP loc fw udp 1900 >I''ll repeat from an earlier post. The current common.def file contains the equivalent of that rule but applies it to ALL zone->zone combinations where the policy is other than ACCEPT. When I release a new common.def file and the user has a /etc/shorewall/common file, the latter file will continue to be used and common.def will be ignored. To avoid this problem in the future, rather than copying common.def to common (as the documentation suggests :( ), the /etc/shorewall/common file should look like this: <rules that supercede entries in common.def> . /etc/shorewall/common.def <rules in addition to those in common.def> That way, when I add new rules to common.def, they will be included in your ruleset. Documentation Team: the sample configurations need to adopt this style since most people who have an /etc/shorewall/common file got the file from one of the samples :-( -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Yep, I found the original thread in the archives last night and have modified the /etc/shorewall/common as described. I also used the sample (in this case the 3 zone sample) and it was missing the suggested "include". --- Tom Eastep <teastep@shorewall.net> wrote:> On Thu, 16 May 2002, Copeland, Joe wrote: > > > I simply wrote a rule to drop all packets. In > > /etc/shorewall/rules > > > > DROP loc fw udp 1900 > > > > I''ll repeat from an earlier post. > > The current common.def file contains the equivalent > of that rule but > applies it to ALL zone->zone combinations where the > policy is other than > ACCEPT. When I release a new common.def file and the > user has a > /etc/shorewall/common file, the latter file will > continue to be used and > common.def will be ignored. > > To avoid this problem in the future, rather than > copying common.def to > common (as the documentation suggests :( ), the > /etc/shorewall/common file > should look like this: > > <rules that supercede entries in common.def> > . /etc/shorewall/common.def > <rules in addition to those in common.def> > > That way, when I add new rules to common.def, they > will be included in > your ruleset. > > Documentation Team: the sample configurations need > to adopt this style > since most people who have an /etc/shorewall/common > file got the file from > one of the samples :-( > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com