Re: Kernel log messages

From: Peter Pentchev (roam@ringlet.net)
Date: 12/14/02 

Date: Sat, 14 Dec 2002 17:58:53 +0200
From: Peter Pentchev <roam@ringlet.net>
To: Erwan Breton <breton@cri.ensmp.fr>

On Sat, Dec 14, 2002 at 12:14:42PM +0100, Erwan Breton wrote:
> Hi,
>
> Since i have activate the firewall on my Box, I have many kernel log
> messages in my security check output every night. the problem is, idon't see
> anymore interessant messages like bad login.
>
> athena kernel log messages:
[snip ipfw log messages]
>
> main# uname -a
> FreeBSD 4.7-STABLE #10: Thu Nov 28 19:00:13 CET 2002
> I just active firewall (i think :o) )
>
> If u need more conf (like syslog.conf) tell it.
>
> Thanks for ideas and answers.

What exactly is the problem: that those messages are hiding the rest of
the information in your logfiles? You can easily turn ipfw logging off:
it is currently logging verbosely because of one of two reasons - either
you have an 'option IPFIREWALL_VERBOSE' in your kernel config file, or
you have 'firewall_logging="yes"' in your /etc/rc.conf file.

To turn ipfw logging off, either remove the firewall_logging="yes" line
from /etc/rc.conf, or add a net.inet.ip.fw.verbose=0 line to
/etc/sysctl.conf. Both of these will take effect upon your next reboot,
when the startup scripts reread the configuration; if you want to turn
off the verbose ipfw logging right now, issue the following command:

        sysctl net.inet.ip.fw.verbose=0

Of course, neither of these will help if you have explicitly requested
logging in one of your firewall rules: examine your firewall
configuration and see if any of the rules has the 'log' keyword.

All this said, there is another option for having your cake and eating
it, too: instructing syslog.conf to send ipfw log messages to another
location. According to the ipfw manual page, the 'log' keyword causes
ipfw to send kernel.security syslog messages; you could redirect those
to a separate file, so that they do not interfere with your normal
logging.

Hope this helps :)

G'luck,
Peter 

-- 
Peter Pentchev	roam@ringlet.net	roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
Thit sentence is not self-referential because "thit" is not a word.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: RFC: my firewall ruleset(s)
    ... IPFW numbers rules that increment by 1. ... > The reasoning behind this is so I have a single firewall script for all ... Depending on the rc.conf entries on that server, the firewall ...
    (freebsd-questions)
  • RE: What exactly is ipfilter?
    ... FBSD comes with two firewall applications built into the base ... IPFW and IPFILTER. ...
    (freebsd-questions)
  • [HOWTO] IPFW: Vector-Based Modularity
    ... Complex Firewall ... For this purpose the local host should be considered an interface of its own in the form of the IPFW alias, ... The IPFW ruleset begins with a series of skipto rules directing matching traffic to a rule module. ... 00400 set 0 deny ip from any to any ...
    (freebsd-questions)
  • re: firewall high-load performance
    ... against ipfw, but I suspect that any difference in performance is pretty ... If you're just doing packet filtering and using a fairly run of ... was related to use of dummynet for bandwidth management. ... Just one more reason pf is my favorite firewall. ...
    (freebsd-questions)
  • Re: ipfw question (ip vs tcp)
    ... The ipfw file has a line like this in it: ... > Either way I can then have full user ftp sessions with this server. ... Since the second channel runs on random ports, it is often quite hard to get an FTP session working ... Configure the firewall to allow the same range incoming. ...
    (comp.unix.bsd.freebsd.misc)