From owner-freebsd-questions@FreeBSD.ORG Tue Sep 18 15:30:45 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2AD4D16A46B for ; Tue, 18 Sep 2007 15:30:45 +0000 (UTC) (envelope-from pmaechler@glattwerk.ch) Received: from mail01.glattnet.ch (mx10.glattnet.ch [80.242.193.210]) by mx1.freebsd.org (Postfix) with ESMTP id 92C1713C4E7 for ; Tue, 18 Sep 2007 15:30:44 +0000 (UTC) (envelope-from pmaechler@glattwerk.ch) Received: from GWS050 ([80.242.192.34]) by mail01.glattnet.ch (WELCOME TO GLATTWERK) with ASMTP id XYW64042 for ; Tue, 18 Sep 2007 17:30:42 +0200 From: =?iso-8859-1?Q?M=E4chler_Philippe?= To: Date: Tue, 18 Sep 2007 17:30:43 +0200 Message-ID: <001001c7fa08$e04725f0$3202a8c0@glattwerk.local> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.5709 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Importance: Normal In-Reply-To: <200709181700.20668.fbsd.questions@rachie.is-a-geek.net> Subject: RE: IPFW entries in /var/log/messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2007 15:30:45 -0000 Hello Mel > -----Original Message----- > From: owner-freebsd-questions@freebsd.org=20 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Mel > Sent: Tuesday, September 18, 2007 5:00 PM > To: freebsd-questions@freebsd.org > Subject: Re: IPFW entries in /var/log/messages >=20 >=20 > On Tuesday 18 September 2007 16:38:13 M=E4chler Philippe wrote: > > Hi Nikos > > > > Thanks for your reply. > > > > > On Tuesday 18 September 2007 16:05, M=E4chler Philippe wrote: > > > > Since a few weeks/months we have the following entries in the > > > > > > > > /var/log/messages logfile. > > > > > > [] > > > > > > > [/var/log/messages] > > > > Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0 > > > > Sep 18 10:31:35 ns2 kernel: > > > > Sep 18 10:58:05 ns2 kernel: 80 > > > > Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP=20 > > > > 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18 > > > > > > 10:58:14 ns2 > > > > > > > kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 > > > > > > 80.242.204.85:65510 > > > > > > > out via bge0 > > > > > > I can think of two things. > > > > > > 1) Is anybody playing with logger(1)? > > > e.g. > > > logger -t kernel "Let's play with the administrator..." tail=20 > > > /var/log/messages > > > > I fear ist neither of the two things you mentioned > > > > [1] /var/log/auth.log does not show an external nor an=20 > abnormal login.=20 > > And I belive that my workmates wont fool me with stuff like this :) > > > > > 2) Are these entries new? Are you sure that they refer > > > to 2007-09? It can happen. Seeing a message from a year back.=20 > > > Especially on a low maintenance box. > > > > [2] These are actual entries. In the meantime i got a few=20 > new ones... > > Sep 18 16:08:18 ns2 kernel: <11<110>ipfw: 7600 Accept UDP > > 80.242.205.104:50114 80.242.192.81:53 in via bge0 > > Sep 18 16:08:18 ns2 kernel: 0>ipfw: 7700 Accept UDP > > 80.242.192.81:53 80.242.205.104:50111 out via bge0 > > Sep 18 16:09:42 ns2 kernel: b > > Sep 18 16:13:42 ns2 kernel: > > Sep 18 16:23:14 ns2 kernel: > > Sep 18 16:23:24 ns2 kernel: 8 > > > > Sep 18 16:30:49 ns2 kernel: >=20 > These looks like classic buffer corruptions, either that or=20 > you're logging=20 > part of the raw packet and bytes interpreted as non-printing=20 > chars like=20 > return and backspace mangle the output. Can you narrow it=20 > down to the one=20 > offending rule? Or is any logging by ipfw this mangled? >=20 i think i can narrow it down to the following rules but I'm not sure because it's hard to "decode" the logfile :) 07600 55768608 3753625157 allow log udp from any to 80.242.192.81 dst-port 53 in recv bge0 07700 55329253 10858026114 allow log udp from 80.242.192.81 53 to any out xmit bge0 08100 5664976 357403678 allow log icmp from any to 80.242.192.81 icmptypes 0,3,8,11 in recv bge0 keep-state Hmm i should change the "allow log" line into "allow" only. No idea why i log every packet. Philippe