Shorewall

[Guest erika_deca]

Hello, I'd like to ask you about a problem I have. Suddenly, every now and then (it happend to me three times), my /var/ gets full of messages like this:

 

 

Shorewall:net2allROP:IN=eth0 OUT= MAC=00:19:d1:37:c3:57:00:12:3f:75:60:6f:08:

00 SRC=158.110.32.89 DST=158.110.32.91 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57786 DF PROTO=TCP SPT=34936 DPT=111 W

INDOW=5840 RES=0x00 SYN URGP=0

 

The 158.110.32.89 Ip adress is the adress of the computer where my home is, and the 158.110.32.91 is the ip adress of the computer I am working on.

Has anybody idea of what I could do to avoid this problem?

 

Thank you very much!

[ianw1974]

I would presume you'd want to turn off logging for the shorewall messages. The logging is giving you the ability to see if shorewall is blocking or allowing connections. Personally, I would leave logging on if the firewall feature is important to you, else you'll not be able to see if there are any intrusions, or be able to troubleshoot a problem otherwise.

[pindakoe]

Have a look at logrotate (which is almost certainly running on yr system). This will at regular intervals (default: once/week) check whether certain logfiles need to be archived (gzipped), deleted, emailed to somebody in order to prevent /var/log becoming too full. You can define the frequency of log rotation in /etc/logrotate.conf and/or files in /etc/logrotate.d/. Typically this is weekly or monthly, but you can also define a size, above which logrotate needs to rotate. The one pitfall with the latter approach is that logrotate by default is only run at weekly intervals (AFAIK -- not sitting on my linux machine at present), so the size check is only done once a week. There is also a directive which ensures that logfiles older than x days are simply deleted (see man logrotate).

[michaelcole]

If the one in the office is the computer you are accessing from then you can add a rule in the file /etc/shorewall/rules and not log from that IP address, this will solve the amount of data being stored from that single IP. I would not turn off Logging as it helps you detect breaches and other events.

 

So if you are sure that the other IP address is secure stop logging that one only. IF it is not secure then run through the Log files when you can and look for and suspicious events.

 

Also it is good training so you will know what is normal and what is not normal in the log file when you do have a problem.

 

And learning how to read the log is always a plus for fault finding.