[Firewall] DENY_UDP_NOLOG

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Jan 15 16:45:53 CET 2014


Hi Daniel,

Judging from your logs, they are UDP 137/138 NETBIOS broadcasts.

Blocking those packets as you did with DENY_UDP_NOLOG is one way, another is to control what gets logged...

The four most general logging controls are (with defaults):
--
PRIV_UDP_LOG=1
UNPRIV_UDP_LOG=1

PRIV_TCP_LOG=1
UNPRIV_TCP_LOG=1
--

To quiet your NETBIOS broadcasts (and others) in your logs you could set:
--
PRIV_UDP_LOG=0
--
Tip -> the beginning of your logs states: "AIF:PRIV UDP packet:"

To quiet most common logs, set:
--
PRIV_UDP_LOG=0
UNPRIV_UDP_LOG=0
PRIV_TCP_LOG=0
UNPRIV_TCP_LOG=0
--

Of course if you are debugging network issues, you may want to enable logging at that time.

Also note that the above variable definitions are 'shell' syntax, no spaces before of after the = 

Lonnie


On Jan 15, 2014, at 5:13 AM, Daniel Weidner wrote:

> 
> Hi,
> 
> I have setup arno-iptables-firewall on a Raspberry Pi which is connected to a Fritz!Box. I basically use the default configuration provided by the Debian package:
> 
> EXT_IF="eth0 wlan0"
> EXT_IF_DHCP_IP=1
> OPEN_TCP="22 25 80 443 993 995 9981 9982" # Ports: 9981 and 9982 are used by tvheadend for htsp
> OPEN_UDP="53"
> INT_IF=""
> NAT=0
> INTERNAL_NET=""
> NAT_INTERNAL_NET=""
> OPEN_ICMP=1
> 
> Everything seems to be work fine so far. However In /var/log/arno-iptables-firewall I receive regulary entries for UDP packets e.g:
> 
> Jan 15 11:19:09 raspi kernel: [147839.674114] AIF:PRIV UDP packet: IN=eth0 OUT= MAC=... SRC=192.168.178.1 DST=192.168.178.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=76
> 
> Jan 15 11:20:06 raspi kernel: [147897.219020] AIF:PRIV UDP packet: IN=eth0 OUT= MAC=... SRC=192.168.178.21 DST=192.168.178.255 LEN=240 TOS=0x00 PREC=0x00 TTL=128 ID=11637 PROTO=UDP SPT=138 DPT=138 LEN=220
> 
> In the configuration file I found the option DENY_UDP_NOLOG which allows to remove these entries for certain ports (as far as I understand). Consequently I added DENY_UDP_NOLOG="137 138" to my described configuration. This works as expected. But is there a better possibility to only remove these entries for my local network (192.168.178.0/24)?
> 
> Thank you for the great script, which is really helpful for beginners like me.
> 
> Greetings,
> Daniel



More information about the Firewall mailing list