On Tue, 1 Aug 2000, Steffen Dettmer wrote:
* Jason P. Stanford wrote on Tue, Aug 01, 2000 at 11:35 -0700:
especially due to web traffic to the machine (a lot of ALLOW's). Can I change a config to prevent firewall from making duplicate entries to /var/log/messages?
That's not possible (at least with ipchains). You should check your configuration and enviroment, it's bad if you get lot's of prohibited connection attempts. You have to reduce it, otherwise your logging makes no sense, since you will never be able to read the logs!
If you have "expected" denies, insert a rule that reject/denies those packets without logging.
The problem is that these logs "from" ipchains actually come from the kernel; ipchains is only used to feed the rules into the kernel. Messages from the kernel are being read by klogd from /proc/kmsg and then forwarded to syslogd. Here's your chance to get hold of the logs: change the /etc/syslog.conf to reflect the facility kernel _only_ in the firewall log (which is actually the kernel log). This can be done by changing the line *.*;mail.none;news.none -/var/log/messages to *.*;mail.none;news.none;kern.none -/var/log/messages I bet the last line reads kern.* /var/log/firewall :-)
Also, scanlogd does not seem to log any scannings except for those from localhost (127.0.0.1).
Here it works...
Same here.
[...]
Regards,
Roman.
--
- -
| Roman Drahtmüller