From owner-freebsd-current@FreeBSD.ORG Sat Oct 29 04:16:29 2011 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34BB21065673 for ; Sat, 29 Oct 2011 04:16:29 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 01BFD8FC17 for ; Sat, 29 Oct 2011 04:16:28 +0000 (UTC) Received: by iaky10 with SMTP id y10so7393092iak.13 for ; Fri, 28 Oct 2011 21:16:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=z9BS7x/q9qZF8D0QW1fTPy9r/3A7Ek0eAxa6bBJU36k=; b=hD9zpURSCUJttNWIWAIwpSyfwubCU7E+mpTmaL4LLmLzHBke6H+WAfhuYKa0r4py94 3M5FmPwo5KKo/3+i2DnxWEw3Q5dBfeNXw4YRj/8zBFKUAetzyCFtZK6HuKeAg2q/4sXQ UdqsjGm1yQzvVB10oq4EVU6ypg4csQxNmZrPA= MIME-Version: 1.0 Received: by 10.231.6.10 with SMTP id 10mr1777949ibx.76.1319861788405; Fri, 28 Oct 2011 21:16:28 -0700 (PDT) Received: by 10.231.46.198 with HTTP; Fri, 28 Oct 2011 21:16:28 -0700 (PDT) In-Reply-To: References: <0dcf638e123d2161d0e9d3c77386a8e7.squirrel@webmail.lerctr.org> Date: Fri, 28 Oct 2011 21:16:28 -0700 Message-ID: From: Kevin Oberman To: Larry Rosenman Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-current@freebsd.org Subject: Re: syslogd: Remote Logging busted? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Oct 2011 04:16:29 -0000 On Fri, Oct 28, 2011 at 8:37 PM, Larry Rosenman wrote: > On Fri, 28 Oct 2011, Kevin Oberman wrote: > >> On Fri, Oct 28, 2011 at 7:22 PM, Larry Rosenman wrote: >>> >>> I enabled remote logging for my home subnet, and syslogd doesn't seem(!= ) >>> to >>> be logging the messages. >>> >>> They ARE making it to the system. >>> >>> Can someone look at bin/162135 which has all the details, including >>> tcpdump to show that the messages are making it to the system. >> >> Just to be clear, you are running tcpdump on borg, right? The >> statement "This is from my Cable Modem:" confuses me a bit. > > Yes, the tcpdump is running on borg, and the source of the syslog packets > is from my Cable Modem at 192.168.200.10. > > /etc/hosts.allow: [Comments elided] > ALL : PARANOID : RFC931 20 : deny > ALL : localhost 127.0.0.1 : allow > ALL : [::1] : allow > exim : localhost : allow > exim : ALL : allow > rpcbind : ALL : deny > ypserv : localhost : allow > ypserv : ALL : deny > ftpd : localhost : allow > ftpd : ALL : allow > fingerd : ALL \ > =A0 =A0 =A0 =A0: spawn (echo Finger. | \ > =A0 =A0 =A0 =A0 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & = \ > =A0 =A0 =A0 =A0: deny Several superfluous rules, but I can't see anything that would block 514. >> >> Assuming tcpdump is on borg, it is making past any firewall (pf or >> ipfw, at least). What about /etc/hosts.allow? I don't recall if it >> filters before or after pcap see packets. I used to have a diagram >> showing the sequence of processing this, but I can't seem to find it >> now. >> >> What does "netstat -af inet | grep syslog" show? Is syslogd actually >> listening? > > > the netstat output: udp4 =A0 =A0 =A0 0 =A0 =A0 =A00 *.syslog =A0 =A0 =A0 = =A0 =A0 =A0 =A0 *.* > > and sockstat | grep syslog: root =A0 =A0 syslogd =A0 =A065128 4 =A0dgram = =A0/var/run/log > root =A0 =A0 syslogd =A0 =A065128 5 =A0dgram =A0/var/run/logpriv > root =A0 =A0 syslogd =A0 =A065128 6 =A0udp6 =A0 *:514 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 *:* > root =A0 =A0 syslogd =A0 =A065128 7 =A0udp4 =A0 *:514 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 *:* OK. I'm baffled! I can't see anything that looks wrong, but I'll think about it a bit more. --=20 R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com