28.07.2020 23:41, Marc Chamberlin пишет:
(I have turned back on logging to the messages log file since I prefer using text files rather than the journal log which I find is too difficult to work with)
Check your logging software configuration. You do not say what distribution you are using, what version, what log program fills in /var/log/messages so there is not much more to say.
Sorry, I guess I didn't think that was going to be relevant. On the system I am testing, I am running OpenSuSE Leap 15.0 using rsyslogd 8.33.1 for my logging service.'
On Leap 15.1 default rsylog.conf has # # firewall messages into separate file and stop their further processing # if ($syslogfacility-text == 'kern') and \ ($msg contains 'IN=' and $msg contains 'OUT=') \ then { -/var/log/firewall stop } In any case, you still have journal whether you like it or not, and journal stores everything. Check kernel log (dmesg), check journal - are messages there?
I imagine that wireshark is directly monitoring eth1 by making low level calls to the eth1 driver and I would have expected iptables to be doing the same, but apparently not. So what lies between the low level driver for eth1 that wireshark is apparently using, and the beginning of the iptables chain that is blocking these port knock packets from reaching the iptables chains?
Much more plausible explanation is that these messages are filtered out by your log program.
Hmmm, OK, I need more help here then, I dunno how to configure filtering, didn't even know that was possible.
Seriously? Even ancient syslogd supported storing different kinds of messages in different files.