Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] What is the meaning of these firewall log entries?
On 13/02/16 08:26 AM, Carlos E. R. wrote:


On Saturday, 2016-02-13 at 14:49 +0100, Carlos E. R. wrote:
On 2016-02-13 13:32, Darryl Gregorash wrote:
On 12/02/16 11:47 PM, Andrei Borzenkov wrote:

I have determined some important info: the even happens only when I
hibernate the sender machine (...14).
I saw the messages going by in the screen while the machine hibernates.
The timestamp corresponds to the thawing, because then is when it
has a chance to write them:

It may be related to these entries in the sender machine log:

<3.4> 2016-02-13 06:30:37 Telcontar pm-utils - - - Hibernating the
system now (04)...
<3.5> 2016-02-13 06:30:37 Telcontar pm-utils - - - There appears not
be any pending nntp post to be sent. I just checked :-)
<1.5> 2016-02-13 06:30:37 Telcontar network 2055 - - redirecting to
"systemctl --signal=9 kill network.service"
<3.5> 2016-02-13 06:30:37 Telcontar systemd 1 - -
network@eth0.service: main process exited, code=killed, status=9/KILL
<3.6> 2016-02-13 06:30:37 Telcontar systemd 1 - - Stopping LSB:
Network time protocol daemon (ntpd)...
<3.6> 2016-02-13 06:30:38 Telcontar ntp 2079 - - Shutting down
network time protocol daemon (NTPD)..done
<1.6> 2016-02-13 06:30:38 Telcontar org.freedesktop.UDisks 1047 - -
**** /proc/self/mountinfo changed
<3.6> 2016-02-13 06:30:38 Telcontar systemd 1 - - Stopped LSB:
Network time protocol daemon (ntpd).
<3.4> 2016-02-13 06:30:38 Telcontar pm-utils - - - Hibernating (95)...
<0.7> 2016-02-13 06:31:01 Telcontar kernel - - - [1086085.630918] PM:
Marking nosave pages: [mem 0x0009f000-0x000fffff]


I think that it is not that the receiver has the port closed, but that
the sender machine is halting its own network service causing spurious
log entries on the firewall (when packets can not be sent by the
kernel netconsole), with incorrect content.
If the sender machine (Telcontar is ...14, I am assuming) has halted its
network, then its firewall should be closed to all traffic, outbound as
well as inbound. In that case, nothing should be reaching ...15, so
there should be no "port unreachable" replies from that system. At most,
you should be seeing default dropped *outbound* packets addressed to
port 6666 on ....15, not ICMP responses from the remote system.

Very, very very strange..... to make sense of this, we are almost
required to believe that Telcontar is dropping outbound UDP packets, but
instead is logging incoming ICMP responses which are being dropped and
logged.

If you have the time, would you be willing to log *all* firewall traffic
on *both* systems, and then wade through both logs to see if there is
any additional evidence to suggest what is going on? That will be a lot
of work, I know, but it may be the only way we will be able to get to
the bottom of this.


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >