Date: Wed, 13 Oct 2010 13:43:24 -0700 From: "Kevin Oberman" <oberman@es.net> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: Marcin <nickson@interia.pl>, freebsd-stable@freebsd.org, Jeremy Chadwick <freebsd@jdc.parodius.com> Subject: Re: Problem with security log Message-ID: <20101013204324.43E941CC3E@ptavv.es.net> In-Reply-To: Your message of "Wed, 13 Oct 2010 11:55:19 %2B0200." <AANLkTin9MZpQniOogFhQFUKGRtgyk9xv7afrfWrDu_Me@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Wed, 13 Oct 2010 11:55:19 +0200 > From: Luigi Rizzo <rizzo@iet.unipi.it> > Sender: owner-freebsd-stable@freebsd.org > > On Wed, Oct 13, 2010 at 11:23 AM, Jeremy Chadwick > <freebsd@jdc.parodius.com> wrote: > > On Wed, Oct 13, 2010 at 11:03:36AM +0200, Marcin wrote: > >> 2010/10/13 Jeremy Chadwick <freebsd@jdc.parodius.com>: > >> > On Tue, Oct 12, 2010 at 10:50:28PM +0200, Marcin wrote: > >> >> Hi folks, > >> >> > >> >> For some time in the file / var / log / security appear illegible entries: > >> >> kernel: ipfw: 200 Deny UDiPp f1w9:2 .168.10.5:5230503 D22e4n.y0 > >> >> .U0D.P25 1:15923.5136 o8.u10t. 5va5 3r5e03 224.0.0.251:5353 in via re0 > >> >> > >> >> How to get rid of it? Please help... > >> > > >> > There isn't a 100% reliable way to get rid of this problem. I've been > >> > harping about this for years (sorry to sound like a jerk, but this > >> > really is a major problem that keeps coming up and annoys users/admins > >> > to no end. There are solutions -- Linux solved it by implementing a > >> > lockless circular ring buffer[1] used by kmsg). > >> > > >> > The """workaround""" -- which again, does not solve the problem, only > >> > decreases the regularity of it happening (and when it does happen, can > >> > sometimes decrease how much interspersed output there is) -- is to add > >> > the following line to your kernel config and rebuild/reinstall your > >> > kernel: > >> > > >> > options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed. > >> > > >> > This option became part of the GENERIC kernel configuration file at the > >> > following times: > >> > > >> > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/amd64/conf/GENERIC#rev1.529 > >> > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/i386/conf/GENERIC#rev1.517 > >> > > >> > Depending on what release/tag you follow, you may or may not find the > >> > above commit/change in your GENERIC file. I can't be bothered to track > >> > down what time the CVS tagging was done, for multiple architectures, > >> > etc... > >> > > >> > [1]: http://www.mjmwired.net/kernel/Documentation/trace/ring-buffer-design.txt > >> > >> Hi Jeremy, > >> I have compiled kernel with this option and unfortunately problem still exist... > >> Do you have another idea how can i improve my log file? :) > > > > I was incorrect in my understanding/prognosis, so as Andriy pointed out, > > the option won't solve your problem. > > > > It sounds like the only way to solve this issue is to improve/fix the > > msgbuf code. Alternatively, you could consider moving from ipfw to > > pf(4) and use pflog(4) / pflogd(8). > > or you can use the log option of ipfw and run tcpdump on the "ipfw0" > pseudo interface > which will give you all the traffic that matches a 'log' rule (there > is a sysctl variable that > controls whether log goes to syslog or to the ipfw pseudo interface) Is the any real documentation on the ipfw0 device and how to use it? I can see it as being very handy. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101013204324.43E941CC3E>