IPFW entries in /var/log/messages

Mächler Philippe pmaechler at glattwerk.ch
Tue Sep 18 08:30:45 PDT 2007 

Hello Mel

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org 
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Mel
> Sent: Tuesday, September 18, 2007 5:00 PM
> To: freebsd-questions at freebsd.org
> Subject: Re: IPFW entries in /var/log/messages
> 
> 
> On Tuesday 18 September 2007 16:38:13 Mächler Philippe wrote:
> > Hi Nikos
> >
> > Thanks for your reply.
> >
> > > On Tuesday 18 September 2007 16:05, Mächler Philippe wrote:
> > > > Since a few weeks/months we have the following entries in
the
> > > >
> > > > /var/log/messages logfile.
> > >
> > > []
> > >
> > > > [/var/log/messages]
> > > > Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0
> > > > Sep 18 10:31:35 ns2 kernel:
> > > > Sep 18 10:58:05 ns2 kernel: 80
> > > > Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP 
> > > > 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18
> > >
> > > 10:58:14 ns2
> > >
> > > > kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53
> > >
> > > 80.242.204.85:65510
> > >
> > > > out via bge0
> > >
> > > I can think of two things.
> > >
> > > 1) Is anybody playing with logger(1)?
> > > e.g.
> > > logger -t kernel "Let's play with the administrator..."
tail 
> > > /var/log/messages
> >
> > I fear ist neither of the two things you mentioned
> >
> > [1] /var/log/auth.log does not show an external nor an 
> abnormal login. 
> > And I belive that my workmates wont fool me with stuff like
this :)
> >
> > > 2) Are these entries new? Are you sure that they refer
> > > to 2007-09? It can happen. Seeing a message from a year
back. 
> > > Especially on a low maintenance box.
> >
> > [2] These are actual entries. In the meantime i got a few 
> new ones...
> > Sep 18 16:08:18 ns2 kernel: <11<110>ipfw: 7600 Accept UDP
> > 80.242.205.104:50114 80.242.192.81:53 in via bge0
> > Sep 18 16:08:18 ns2 kernel: 0>ipfw: 7700 Accept UDP
> > 80.242.192.81:53 80.242.205.104:50111 out via bge0
> > Sep 18 16:09:42 ns2 kernel: b
> > Sep 18 16:13:42 ns2 kernel:
> > Sep 18 16:23:14 ns2 kernel:
> > Sep 18 16:23:24 ns2 kernel: 8
> >
> > Sep 18 16:30:49 ns2 kernel:
> 
> These looks like classic buffer corruptions, either that or 
> you're logging 
> part of the raw packet and bytes interpreted as non-printing 
> chars like 
> return and backspace mangle the output. Can you narrow it 
> down to the one 
> offending rule? Or is any logging by ipfw this mangled?
> 

i think i can narrow it down to the following rules but I'm not
sure because it's hard to "decode" the logfile :)

07600 55768608  3753625157 allow log udp from any to
80.242.192.81 dst-port 53 in recv bge0

07700 55329253 10858026114 allow log udp from 80.242.192.81 53 to
any out xmit bge0

08100  5664976   357403678 allow log icmp from any to
80.242.192.81 icmptypes 0,3,8,11 in recv bge0 keep-state

Hmm i should change the "allow log" line into "allow" only. No
idea why i log every packet.

Philippe

More information about the freebsd-questions mailing list