On Tuesday 18 June 2002 21:05, GertJan Spoelman wrote:
On Tuesday 18 June 2002 19:30, Bob Berman wrote:
I am running SuSeFirewall2 and am also running a Gnutella service on port 6346. I am getting tons of messages in my firewall log informing me that connections to port 6346 are being accepted. I don't care to know this. How can I set up an iptables rule to *not* log this fact?
You don't need to add a rule, it's a config option. In firewall2.rc.config at 16.) set FW_LOG_ACCEPT_CRIT to "no" and you should be rid of those messages.
Very true, but is there a somewhat easy way to suppress only that connection ? Suppose one's not interested in [gnutella,pop3] but still would like logs for other ports/protocols [ssh,imap,cvs,whathaveyou] ? I'm just inquiring because I myself could also use a somewhat more fine-grained logging selection process, for instance not logging those pesky 'just-checking-if-I-have-new-mail-every-30-seconds' pop3 customers, or even worse the onmipresent port 137, but being interested in _everything_ else. As it is you can now choose between logging all 'deemed critical' connections, and none whatsoever... I suppose adding a rule in some (well-chosen!) hook in --custom.rules to accept or deny will happily accomplish that, but you first have to enable that all the way at the end, well past the 'expert options, do not touch' -point ;-) and it is not too well documented how to do that (ie. not open everything up by a typo/thinko). Oh well... that's exactly what the "experts only" means I guess ;-)) Not to burden SuSE with still more work, but a new option in FW2 could be (I'm just thinking aloud here...) a field where it its left up to the user to define what exactly _will_ be defined as "CRIT" so as to be able to omit certain ports. Like so: ## # Leave these at "Default" if you don't know what these mean. FW_LOG_ACCEPT_CRIT_LIST="21 22 25 143" FW_LOG_DROP_CRIT_LIST="23 69 79" #FW_LOG_DROP_CRIT_LIST="Default" Although I know the SuSEfirewall quite well (better than I would've liked; it is quite an impressive and complex filter!) since the time I tweaked some statefullness into it back in the v1.7 days (to overcome the 'allow all highports' ehm... misfeature ;-) mostly for 53/udp traffic, I'm still quite sure I could not come up with a diff that adds the above feature... Sorry. ;-) I did not even mail Marc Heuse my changes back then because I was not real confident in what I did was done in a clean way, and besides, who am I to criticise _The_ SuSE filter? Since then AFAIK some official changes reflect my own changes so that naturally boosted my confidence a bit. ;-)) Maybe Marc has some views on this... but he's probably quite busy. Maarten