On Thursday 20 July 2006 9:30 am, Michael Nelson wrote: <snip>
Is there a way to configure SuSEfirewall2 to not send stuff into the dmesg buffer but instead only log to /var/log/messages?
Not directly, and certainly not from the current version of the GUI you can click on in yast2. The /sbin/SuSEfirewall2 script is hard-coded to use the LOG target, which of course plops the messages into the kernel ring buffer where both dmesg and syslog can see it. The ULOG target was implemented to allow logging to go through userspace instead, but most firewall building tools (including SuSEfirewall2) don't make use of it. You would need to either go through all 2000-ish lines of /sbin/SuSEfirewall2's Bourne shell code and "fix" all of the -j LOG targets to use ULOG instead, or a better idea is to write a quick-and-dirty perl/sed/awk/whatever script to alter the generated iptables rules to use ULOG. (Something along the lines of iptables-save | sed -e 's/\-j LOG/-j ULOG/' | iptables-restore or similar) Then you'll need to enable/configure ulogd to pick up the messages and either drop them into a file or feed them to syslog-ng where you can then write a rule to put them in /var/log/messages.
I looked in /etc/sysconfig/SuSEfirewall but didn't see in there how to accomplish this.
SIDE NOTE: A simpler solution might be to turn off most of the logging in the firewall. Knowing that there were 935 failed attempts to ping your machine yesterday might make you feel better, but beyond initial debugging, it's not useful knowledge. It's not like you can control who tries to hit your firewall or how often. A better approach would be to detect when something gets through that shouldn't, and that's not something a single firewall is going to know. Better to use two firewalls with two different technologies, one to block everything you don't want and log none of it, and a second one to silently pass what you do want, and block/log anything it sees that the first one should have stopped. That way, the only log messages you'll see are the ones that you really need to pay attention to. However, if you really want to make iptables play nice with dmesg, and worry about your logfile analysis strategy later, then start by looking at this: http://wiki.linuxquestions.org/wiki/Dmesg Then have a look through the /usr/share/doc/packages/SuSEfirewall2 directory so you understand how all the scripts fit together, read up on ulogd and syslog-ng if necessary, and make your changes. As always, backups are really good for keeping the karma up. JA
Thanks Michael
--
San Francisco, CA
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com