Alexander Polishchuk wrote:> I have a couple logging issues.
>
> 1. I''m using ULOG for logging, but from time to time I see
messages in
> /var/log/messages. Here they are:
>
> Sep 12 13:33:19 misha kernel: Shorewall:logpkt:DROP:IN=eth0 OUT>
MAC=00:50:da:2d:c1:6c:00:08:e2:32:34:70:08:00 SRC=24.87.16.22
> DST=24.24.240.238 LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=17039 DF
> PROTO=TCP SPT=7278 DPT=1214 WINDOW=32768 RES=0x00 FIN URGP=0 OPT
> (0101080A06B91D7F00000000)
>
> Sep 12 19:36:36 misha kernel: Shorewall:logpkt:DROP:IN=eth0 OUT>
MAC=00:50:da:2d:c1:6c:00:08:e2:32:34:70:08:00 SRC=64.39.171.207
> DST=24.24.240.238 LEN=52 TOS=0x00 PREC=0x00 TTL=40 ID=19848 PROTO=TCP
> SPT=65040 DPT=1214 WINDOW=32768 RES=0x00 FIN URGP=0 OPT
> (0101080A510FCD7400000000)
I have a few of the DPT=1214 logged at this end also (along with hundreds of
other ports).
>
> 2. The other issue is that I''m getting couple MB worth of ping
> messages in the log that I''d like to turn off. I was getting just
> couple of those per day until I switched to the 1.4.x version of
> Shorewall.
>
> Is it really that Shorewall shows all of those now that it did not
> before?
As of 1.4.0, shorewall''s ping management is no different than any other
connection request.
See: http://shorewall.infohiiway.com/ping.html
>
> Can it be that some of my servers (caching named, samba, NTP, dhcpd)
> are causing this to happen?
I doubt that the above services are causing the increased amount of ping log
entries. I too was seeing MB''s of ping log entries at this end (see
below).
If I was to guess at whats happening, its probably one of the latest strains
of virus''s causing all these ping attempts to be logged.
>
> My IP changes almost every day, but it does not help. My cable modem
> ISP is RoadRunner and most of the hits are from this ISP IPs. Can it
> be ISP related?
>
> If none of that is true, then how should the rule from common.def be
> modified to put into common to account for this?
You can follow the instructions listed in the above link. Myself... I added
a rule to stop logging the ping attempts for zones net->fw. Ex:
# Reject ping''s (which is the default policy), but stop logging.
REJECT net fw icmp 8
Steve Cowles