On 7/31/20 2:48 PM, Marc Chamberlin wrote:
On 7/29/20 12:19 AM, Carlos E. R. wrote:
On 29/07/2020 06.34, Andrei Borzenkov wrote:
28.07.2020 23:41, Marc Chamberlin пишет: ...
On Leap 15.1 default rsylog.conf has
# # firewall messages into separate file and stop their further processing # if ($syslogfacility-text == 'kern') and \ ($msg contains 'IN=' and $msg contains 'OUT=') \ then { -/var/log/firewall stop }
In any case, you still have journal whether you like it or not, and journal stores everything. Check kernel log (dmesg), check journal - are messages there? Journal can be configured to discard all :-P
I did so for some time in this computer, I think. But re-enabled it because systemctl was not happy about it.
Carlos, Andrie, all - I ran the following command to monitor dmesg -
dmesg -H -w | grep DST=192.168.10.51 | grep DPT=12
to filter out the knocks and yes the kernel log is showing the knocks (although somewhat delayed quite a bit after they are sent) yet my logging of what iptables sees, the messages file, and the knockd logs do not show these knocks. The one other symptom that is also puzzling is that after I restart all the services sometimes the knock sequence does work ONE time, and then they stop working.
The following shows what is in the INPUT chain of iptables -
Chain INPUT (policy ACCEPT) target prot opt source destination LOG all -- 192.168.10.10 anywhere LOG level warning ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere LOG all -- anywhere anywhere ctstate INVALID LOG level warning prefix "STATE_INVALID_DROP: " DROP all -- anywhere anywhere ctstate INVALID LOG all -- anywhere anywhere LOG level warning prefix "FINAL_REJECT: " REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
which should capture and log the knocks comping from my laptop.
Still stumped, Marc...
Ping? :-) Anyone got an idea as to why the kernel log (dmesg) see's my portknocks, yet iptables and knockd don't? Thanks in advance, Marc...