Mailinglist Archive: opensuse (1470 mails)

< Previous Next >
Re: [opensuse] What is the meaning of these firewall log entries?
On 13/02/16 05:33 PM, Carlos E. R. wrote:


On Saturday, 2016-02-13 at 19:50 +0100, Carlos E. R. wrote:

A tcp dump? Or tell SuSEfirewall2 to log everything?

FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"

I can set all of them to "yes" prior to hibernation, and undo after.
It is simple to do.

Done. Let's extract the firewall data.

<3.4> 2016-02-13 21:01:07 Telcontar pm-utils - - - Hibernating the
system now (04)...
<3.5> 2016-02-13 21:01:07 Telcontar pm-utils - - - There appears not
be any pending nntp post to be sent. I just checked :-)
<1.5> 2016-02-13 21:01:07 Telcontar network 24855 - - redirecting to
"systemctl --signal=9 kill network.service"
<3.5> 2016-02-13 21:01:07 Telcontar systemd 1 - -
network@eth0.service: main process exited, code=killed, status=9/KILL
<3.6> 2016-02-13 21:01:07 Telcontar systemd 1 - - Stopping LSB:
Network time protocol daemon (ntpd)...
<3.6> 2016-02-13 21:01:07 Telcontar ntp 24879 - - Shutting down
network time protocol daemon (NTPD)..done
<1.6> 2016-02-13 21:01:07 Telcontar org.freedesktop.UDisks 1047 - -
**** /proc/self/mountinfo changed
<3.6> 2016-02-13 21:01:07 Telcontar systemd 1 - - Stopped LSB:
Network time protocol daemon (ntpd).
<3.4> 2016-02-13 21:01:07 Telcontar pm-utils - - - Hibernating (95)...


So I have to look around 21:01:07

There are too many entries, so I'll filter.

<snip

Now for the receiver machine entries.

AmonLanc:~ # zgrep "192.168.1" /var/log/firewall-20160213.xz | grep
"192.168.1.14" | grep "192.168.1.15" | less

<snip>
DOH! Do I feel stupid!

It just occurred to me that we do not need *all* the firewall logs from
both machines. The only things we are interested in for this are the UDP
traffic sent to port 6666 on ..15 and ICMP traffic related to that. Only
the following entries are relevant:

on Telcontar: outbound UDP sent to AmonLanc on port 6666.
responses to those packets (presumably these
are UDP packets originating on port 6666?)
ICMP packets received from AmonLanc.

on AmonLanc: inbound UDP on port 6666 sent from Telcontar
outbound responses to those
any outbound ICMP packets sent to Telcontar.

Perhaps something like wireshark would be able to capture the necessary
data. What I suggested that you do is gross overkill.

That having been said, I did not see a single firewall log entry on
AmonLanc that could possibly explain why Telcontar is receiving these
"port unreachable" messages. There is no logic to this at all, unless
Telcontar's firewall is sending those ICMP messages **to itself** after
the firewall has been locked shut. Perhaps I missed something? I'll have
another look at it in the morning as time permits.


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >