Re: Kernel logging firestarter events to syslog and console

Anthony Simonelli wrote:
Hey there, just upgraded to kernel image 2.6.8-3-686 and now all of the
blocked connections from firestarter are logged in syslog and displayed at
the console such as the following:

Mar 27 21:25:25 debian kernel: ABORTED IN=wlan0 OUT=
MAC=00:0f:66:a1:89:28:00:12:17:27:5b:71:08:00 SRC=167.104.0.82
DST=192.168.1.103 LEN=40 TOS=0x00 PREC=0x20 TTL=48 ID=34256 PROTO=TCP SPT=443

I can't do anything on the command line because I get one of these every five
seconds, not to mention it's making my system logs too large and full of
non-critical info since it is blocking packets from all of the workstations
on my LAN.

How do I stop this?

There are two aspects: One is how often and at what log level your
firewall logs to syslog, and the other one is at what log level syslog
starts to echo messages to the console. The latter can be controlled by
adjusting the kernel's "printk" parameter:

http://lists.debian.org/debian-user/2006/03/msg00271.html

This will get rid of the messages on the console. If you are worried
about your growing syslog, you have to adjust the logging behavior of
firestarter. Unfortunately I never used it, therefore I cannot be more
specific on this point. More generally speaking, though, it should be
enough if you have the packages "logrotate" and "cron" installed to keep
all your logs from growing out of bounds. (If you shut down your
computer overnight then you will need the package "anacron" in addition
to the other two.) For more info on this see:

http://lists.debian.org/debian-user/2006/02/msg02670.html

Regards,
Florian


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Kernel logging firestarter events to syslog and console
    ... blocked connections from firestarter are logged in syslog and displayed at ... the console such as the following: ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Remote server causing "SMTP DATA-2 protocol error"
    ... Does sendmail follow the expanded RFC? ... The codes defined there are dot-separated and DO NOT equate to ... You could change your syslog config to not send any mail messages to ... out to console ends up getting pumped back into syslog. ...
    (comp.mail.sendmail)
  • RE: audit trails for file access
    ... I actually use NTSyslog to send my logs off to a syslog server, ... On the syslog server side, I use syslog-ng to log to a MySQL database. ... In regards to logging to another machine, use the Eventlog to Syslog ...
    (Focus-Microsoft)
  • Re: Windows event auditing and reporting
    ... Log to Syslog translators and subsequent Syslog reporting tools. ... Once you get your logs into a generally vendor-agnostic format such as ... Event logs, especially DC logs for events such as New user accounts, ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Controlling COBOL DDs named SYSOUT
    ... One of the many standards we implemented at a company I worked for was that a program could *NOT* use display upon console for *ANYTHING*. ... We took the Write-to-Programmer route code off all our consoles, and allowed our programmers to use that mechanism to get something inserted into SYSLOG, but still, management and Operations had to check off on the message and the reason for it being in SYSLOG. ... For IBM-MAIN subscribe / signoff / archive access instructions, ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ...
    (bit.listserv.ibm-main)