Help please: Can anyone tell me where to find the SuSEfirewall2 log file? According to the FAQ in /usr/share/doc/packages/SuSEfirewall2/ it should be in /var/log/ as /var/log/firewall, but I've not been able to find it there (or anywhere else for that matter). I have set the firewall rules to log all dropped packets so there ought to be something in the log. I'm trying to figure out why ntpd can't reach any servers when the firewall is up although there's no problem when the firewall is turned off or running in test mode. (I do have port 123 open.) I'm running 9.0 on a 1.4 meg athlon machine with the latest SuSE kernel (2.4.21-166). Thanks, George -- George H. Griffin Powered by SuSE Linux 9.0, kernel 2.4.21 "Some mornings it just doesn't seem worth it to gnaw through the leather straps" Emo Philips
The Saturday 2004-01-10 at 08:29 -0700, George H. Griffin wrote:
Can anyone tell me where to find the SuSEfirewall2 log file? According to the FAQ in /usr/share/doc/packages/SuSEfirewall2/ it should be in /var/log/ as /var/log/firewall, but I've not been able to find it there (or anywhere else for that matter).
View file '/etc/syslog.conf'. Find the entries of type "kern.*", and if not present, "*.*". For example: *.*;mail.none;news.none -/var/log/messages then kernel entries (thus firewall logs) will go to file '/var/log/messages'. If you have this: kern.* -/var/log/kernel then they will go to '/var/log/kernel'. You probably have: *.=warn;*.=err -/var/log/warn *.crit /var/log/warn So they will also go to '/var/log/warn' (firewall entries are of "warning" level). On my machine, they do not go to '/var/log/messages', because I dissabled it: *.*;kern.none;mail.none;news.none;\ local0,local0,local2,local3,\ local4,local5,local6,local7.none; -/var/log/messages
I'm trying to figure out why ntpd can't reach any servers when the firewall is up although there's no problem when the firewall is turned off or running in test mode. (I do have port 123 open.)
open udp 123, not tcp. -- Cheers, Carlos Robinson
Carlos E. R. wrote:
I'm trying to figure out why ntpd can't reach any servers when the firewall is up although there's no problem when the firewall is turned off or running in test mode. (I do have port 123 open.)
open udp 123, not tcp.
I've got it working now. The problem is that when using yast to configure the firewall directly it only opens TCP 123; I had to go into the /etc/sysconfig editor and add "123 NTP" to FW_SERVICES_EXT_UDP to open UDP 123. On a side note I never could get ntpd to write to /etc/ntp/drift/. I finally downloaded the tarball from ntp.org and installed it from there. Now it works fine, though it writes the driftfile to /etc/ntp.drift. George -- George H. Griffin Powered by SuSE Linux 9.0, kernel 2.4.21 "Some mornings it just doesn't seem worth it to gnaw through the leather straps" Emo Philips
George H. Griffin wrote:
Help please:
Can anyone tell me where to find the SuSEfirewall2 log file? According to the FAQ in /usr/share/doc/packages/SuSEfirewall2/ it should be in /var/log/ as /var/log/firewall, but I've not been able to find it there (or anywhere else for that matter).
I have set the firewall rules to log all dropped packets so there ought to be something in the log.
This is part of the email that was sent to the root user when I updated SuSEfirewall2.. Formerly, the postinstall script of SuSEfirewall2 automatically added an entry kern.* -/var/log/firewall to your /etc/syslog.conf file to send firewall related syslog message into the /var/log/firewall file. This is not done any longer. Add this line yourself if you like. Unfortunately that logs a lot of other kernel related messages to /var/log/firewall, not just iptables related. Does anyone know of a more appropriate selector field that should be used?
The Monday 2004-01-12 at 00:46 -0500, Avtar Gill wrote:
kern.* -/var/log/firewall ...
Unfortunately that logs a lot of other kernel related messages to /var/log/firewall, not just iptables related. Does anyone know of a more appropriate selector field that should be used?
No, thats the way it works. See "syslog.conf(5)" for details. Briefly
told, the sintaxis is:
facility.priority action
Where "facility" is one of these keywords:
auth, authpriv, cron, daemon, kern, lpr, mail, mark,
news, security, (same as auth), syslog, user,
uucp and local0 through local7
The "facility" we have to use is "kern", and everything goes there -
because when the messages are sent, they are sent with that facility.
Unless somebody "with authority" decides to invent a new facility, they go
there.
You can reduce the flow looking at /var/log/warn instead - that is much
less text than the kernel log.
Unless... instead of 'syslogd' we install 'syslog-ng', which I think could
do that selection:
syslog-ng is a "new-generation" syslogd (replacement) for Unix
and Unix-like systems. It tries to fill the gaps in the original syslogd:
* powerful configurability
* filtering based on message content
* message integrity, message encryption (not yet implemented in 1.4.x)
* portability
* better network forwarding
The official home page of syslog-ng is:
http://www.balabit.hu/products/syslog-ng/
You can report problems via email to the syslog-ng mailing list at
participants (3)
-
Avtar Gill
-
Carlos E. R.
-
George H. Griffin