[Firewall] DENY_UDP_NOLOG

Lonnie Abelbeck lists at lonnie.abelbeck.com
Wed Jan 15 21:23:07 CET 2014


Hi Chris,

Looking at the "arno-iptables-firewall" script, unfortunately there is no variable to squelch "AIF:DMZ-INPUT denied" logs...
--
setup_dmz_input_chain()
{
...
  # Log everything else
  iptables -A DMZ_INPUT_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ-INPUT denied: "
--
You could comment out the above iptables line if you wanted.

Or, this seems to be a Dropbox "LAN Sync" feature, which I read can be disabled if you aren't using it and eliminate the broadcasts: https://www.dropbox.com/help/137/en

In general blocked DMZ-INPUT logs are useful.

Lonnie


On Jan 15, 2014, at 1:59 PM, Chris Vavruska wrote:

> on a related note...how do I get the following to not log. I tried DMZ_INPUT_DENY_LOG=0 and DMZ_OUTPUT_DENY_LOG=0. Was thinking I might need to set BROADCAST_UDP_NOLOG
> 
> Jan 15 14:54:13 shaggy kernel: [3256498.538763] AIF:DMZ-INPUT denied: IN=br2 OUT= PHYSIN=eth2 MAC=ff:ff:ff:ff:ff:ff:d4:3d:7e:34:57:d9:08:00 SRC=192.168.2.20 DST=255.255.255.255 LEN=131 TOS=0x00 PREC=0x00 TTL=128 ID=18106 PROTO=UDP SPT=17500 DPT=17500 LEN=111 
> 
> 
> On Wed, Jan 15, 2014 at 2:02 PM, Lonnie Abelbeck <lists at lonnie.abelbeck.com> wrote:
> Daniel,
> 
> The DENY_UDP_NOLOG adds a (redundant) iptables rule to DROP the packet without logging, where PRIV_UDP_LOG=0 keeps a rule from being added to generate a log.
> 
> Personally I use PRIV_UDP_LOG=0 (et al.) on production boxes.
> 
> Lonnie
> 
> 
> On Jan 15, 2014, at 11:11 AM, Daniel Weidner wrote:
> 
> > Is it correct, that the difference between DENY_UDP_NOLOG and PRIV_UDP_LOG is the possibility to only remove log messages for specific ports?
> >
> > Am 15.01.2014 16:45, schrieb Lonnie Abelbeck:
> >> Hi Daniel,
> >>
> >> Judging from your logs, they are UDP 137/138 NETBIOS broadcasts.
> >>
> >> Blocking those packets as you did with DENY_UDP_NOLOG is one way, another is to control what gets logged...
> >>
> >> The four most general logging controls are (with defaults):
> >> --
> >> PRIV_UDP_LOG=1
> >> UNPRIV_UDP_LOG=1
> >>
> >> PRIV_TCP_LOG=1
> >> UNPRIV_TCP_LOG=1
> >> --
> >>
> >> To quiet your NETBIOS broadcasts (and others) in your logs you could set:
> >> --
> >> PRIV_UDP_LOG=0
> >> --
> >> Tip -> the beginning of your logs states: "AIF:PRIV UDP packet:"
> >>
> >> To quiet most common logs, set:
> >> --
> >> PRIV_UDP_LOG=0
> >> UNPRIV_UDP_LOG=0
> >> PRIV_TCP_LOG=0
> >> UNPRIV_TCP_LOG=0
> >> --
> >>
> >> Of course if you are debugging network issues, you may want to enable logging at that time.
> >>
> >> Also note that the above variable definitions are 'shell' syntax, no spaces before of after the =
> >>
> >> Lonnie



More information about the Firewall mailing list