thr3ads.net - Shorewall users - Log Flood [Jun 2004]

If this information is useful, please help other people find it:
Share via:

Mike Lander

2004-Jun-19 19:39 UTC

Log Flood

Jun 19 11:54:06 ns1 kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1
SRC=172.30.0.15 DST=10.19.227.75 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=10830
PROTO=TCP SPT=49782 DPT=9100 WINDOW=8192 RES=0x00 SYN URGP=0

    I am now getting these logs from my ipsec tunnel, or perhaps the problem
is they are not being enrycpted through the tunnel.
172.30.0.15 is a Ibm server trying to communicate to our Lexmark printers on
port 9100 as all the ip''s are printers that
are being logged. Untill  I can get a hold of the administrator for
172.30.0.15, I would like to silently drop these.
    I tryed the rule:
    DROP net     fw        tcp     9100   #I still get these logs.

Thanks --Mike

Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.201.144.200  10.19.227.193   255.255.255.255 UGH   0      0        0 eth1
172.16.2.2      *               255.255.255.255 UH    0      0        0 tun1
64.42.53.200    *               255.255.255.248 U     0      0        0 eth0
64.42.53.200    *               255.255.255.248 U     0      0        0 eth0
192.168.100.0   10.19.227.190   255.255.255.0   UG    0      0        0 eth1
192.168.200.0   *               255.255.255.0   U     0      0        0 eth2
10.192.139.0    172.16.2.2      255.255.255.0   UG    0      0        0 tun1
10.19.227.0     *               255.255.255.0   U     0      0        0 eth1
172.30.0.0      64-42-53-201.at 255.255.0.0     UG    0      0        0
ipsec0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth2
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         64-42-53-201.at 0.0.0.0         UG    0      0        0 eth0
[root@ns1 root]#

Tom Eastep

2004-Jun-19 19:46 UTC

head link

Re: Log Flood

Mike Lander wrote:
> Jun 19 11:54:06 ns1 kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1
> SRC=172.30.0.15 DST=10.19.227.75 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=10830
> PROTO=TCP SPT=49782 DPT=9100 WINDOW=8192 RES=0x00 SYN URGP=0
> 
>     I am now getting these logs from my ipsec tunnel, or perhaps the
problem
> is they are not being enrycpted through the tunnel.
> 172.30.0.15 is a Ibm server trying to communicate to our Lexmark printers
on
> port 9100 as all the ip''s are printers that
> are being logged. Untill  I can get a hold of the administrator for
> 172.30.0.15, I would like to silently drop these.
>     I tryed the rule:
>     DROP net     fw        tcp     9100   #I still get these logs.
Any time that you have a log flood, you should consult FAQ 17 to find 
out why the messages are being logged and what you can do about them.

In your case, uou need to edit your rfc1918 file and add a rule for the 
offending host(s) -- or temporarily turn off norfc1918 on eth0. If you 
have no /etc/shorewall/rfc1918 file, copy the one from 
/usr/share/shorewall to /etc/shorewall and modify the copy.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - Jun 2004 - Log Flood

Log Flood

Re: Log Flood