Date: Tue, 18 Sep 2007 19:03:38 +0200 From: Mel <fbsd.questions@rachie.is-a-geek.net> To: freebsd-questions@freebsd.org Subject: Re: IPFW entries in /var/log/messages Message-ID: <200709181903.40189.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: <001001c7fa08$e04725f0$3202a8c0@glattwerk.local> References: <001001c7fa08$e04725f0$3202a8c0@glattwerk.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 18 September 2007 17:30:43 M=E4chler Philippe wrote: > Hello Mel > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Mel > > Sent: Tuesday, September 18, 2007 5:00 PM > > To: freebsd-questions@freebsd.org > > Subject: Re: IPFW entries in /var/log/messages > > > > On Tuesday 18 September 2007 16:38:13 M=E4chler Philippe wrote: > > > Hi Nikos > > > > > > Thanks for your reply. > > > > > > > On Tuesday 18 September 2007 16:05, M=E4chler Philippe wrote: > > > > > Since a few weeks/months we have the following entries in > > the > > > > > > /var/log/messages logfile. > > > > > > > > [] > > > > > > > > > [/var/log/messages] > > > > > Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0 > > > > > Sep 18 10:31:35 ns2 kernel: > > > > > Sep 18 10:58:05 ns2 kernel: 80 > > > > > Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP > > > > > 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18 > > > > > > > > 10:58:14 ns2 > > > > > > > > > kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 > > > > > > > > 80.242.204.85:65510 > > > > > > > > > out via bge0 > > > > > > > > I can think of two things. > > > > > > > > 1) Is anybody playing with logger(1)? > > > > e.g. > > > > logger -t kernel "Let's play with the administrator..." > > tail > > > > > /var/log/messages > > > > > > I fear ist neither of the two things you mentioned > > > > > > [1] /var/log/auth.log does not show an external nor an > > > > abnormal login. > > > > > And I belive that my workmates wont fool me with stuff like > > this :) > > > > > 2) Are these entries new? Are you sure that they refer > > > > to 2007-09? It can happen. Seeing a message from a year > > back. > > > > > Especially on a low maintenance box. > > > > > > [2] These are actual entries. In the meantime i got a few > > > > new ones... > > > > > Sep 18 16:08:18 ns2 kernel: <11<110>ipfw: 7600 Accept UDP > > > 80.242.205.104:50114 80.242.192.81:53 in via bge0 > > > Sep 18 16:08:18 ns2 kernel: 0>ipfw: 7700 Accept UDP > > > 80.242.192.81:53 80.242.205.104:50111 out via bge0 > > > Sep 18 16:09:42 ns2 kernel: b > > > Sep 18 16:13:42 ns2 kernel: > > > Sep 18 16:23:14 ns2 kernel: > > > Sep 18 16:23:24 ns2 kernel: 8 > > > > > > Sep 18 16:30:49 ns2 kernel: > > > > These looks like classic buffer corruptions, either that or > > you're logging > > part of the raw packet and bytes interpreted as non-printing > > chars like > > return and backspace mangle the output. Can you narrow it > > down to the one > > offending rule? Or is any logging by ipfw this mangled? > > i think i can narrow it down to the following rules but I'm not > sure because it's hard to "decode" the logfile :) > > 07600 55768608 3753625157 allow log udp from any to > 80.242.192.81 dst-port 53 in recv bge0 > > 07700 55329253 10858026114 allow log udp from 80.242.192.81 53 to > any out xmit bge0 > > 08100 5664976 357403678 allow log icmp from any to > 80.242.192.81 icmptypes 0,3,8,11 in recv bge0 keep-state > > Hmm i should change the "allow log" line into "allow" only. No > idea why i log every packet. These look like pretty normal rules, as in they should not create faulty lo= gs.=20 Depending how hammered your server gets, it could be information is lost by= =20 syslog, either way I'd file a PR and/or migrate to pf and see if logging=20 information is still lost (pf doesn't use syslog). =2D-=20 Mel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709181903.40189.fbsd.questions>