Date: Tue, 18 Sep 2007 17:30:43 +0200 From: =?iso-8859-1?Q?M=E4chler_Philippe?= <pmaechler@glattwerk.ch> To: <freebsd-questions@freebsd.org> Subject: RE: IPFW entries in /var/log/messages Message-ID: <001001c7fa08$e04725f0$3202a8c0@glattwerk.local> In-Reply-To: <200709181700.20668.fbsd.questions@rachie.is-a-geek.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Mel > -----Original Message----- > From: owner-freebsd-questions@freebsd.org=20 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Mel > Sent: Tuesday, September 18, 2007 5:00 PM > To: freebsd-questions@freebsd.org > Subject: Re: IPFW entries in /var/log/messages >=20 >=20 > On Tuesday 18 September 2007 16:38:13 M=E4chler Philippe wrote: > > Hi Nikos > > > > Thanks for your reply. > > > > > On Tuesday 18 September 2007 16:05, M=E4chler Philippe wrote: > > > > Since a few weeks/months we have the following entries in the > > > > > > > > /var/log/messages logfile. > > > > > > [] > > > > > > > [/var/log/messages] > > > > Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0 > > > > Sep 18 10:31:35 ns2 kernel: > > > > Sep 18 10:58:05 ns2 kernel: 80 > > > > Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP=20 > > > > 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18 > > > > > > 10:58:14 ns2 > > > > > > > kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 > > > > > > 80.242.204.85:65510 > > > > > > > out via bge0 > > > > > > I can think of two things. > > > > > > 1) Is anybody playing with logger(1)? > > > e.g. > > > logger -t kernel "Let's play with the administrator..." tail=20 > > > /var/log/messages > > > > I fear ist neither of the two things you mentioned > > > > [1] /var/log/auth.log does not show an external nor an=20 > abnormal login.=20 > > And I belive that my workmates wont fool me with stuff like this :) > > > > > 2) Are these entries new? Are you sure that they refer > > > to 2007-09? It can happen. Seeing a message from a year back.=20 > > > Especially on a low maintenance box. > > > > [2] These are actual entries. In the meantime i got a few=20 > new ones... > > Sep 18 16:08:18 ns2 kernel: <11<110>ipfw: 7600 Accept UDP > > 80.242.205.104:50114 80.242.192.81:53 in via bge0 > > Sep 18 16:08:18 ns2 kernel: 0>ipfw: 7700 Accept UDP > > 80.242.192.81:53 80.242.205.104:50111 out via bge0 > > Sep 18 16:09:42 ns2 kernel: b > > Sep 18 16:13:42 ns2 kernel: > > Sep 18 16:23:14 ns2 kernel: > > Sep 18 16:23:24 ns2 kernel: 8 > > > > Sep 18 16:30:49 ns2 kernel: >=20 > These looks like classic buffer corruptions, either that or=20 > you're logging=20 > part of the raw packet and bytes interpreted as non-printing=20 > chars like=20 > return and backspace mangle the output. Can you narrow it=20 > down to the one=20 > offending rule? Or is any logging by ipfw this mangled? >=20 i think i can narrow it down to the following rules but I'm not sure because it's hard to "decode" the logfile :) 07600 55768608 3753625157 allow log udp from any to 80.242.192.81 dst-port 53 in recv bge0 07700 55329253 10858026114 allow log udp from 80.242.192.81 53 to any out xmit bge0 08100 5664976 357403678 allow log icmp from any to 80.242.192.81 icmptypes 0,3,8,11 in recv bge0 keep-state Hmm i should change the "allow log" line into "allow" only. No idea why i log every packet. Philippe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001001c7fa08$e04725f0$3202a8c0>