From owner-freebsd-questions@FreeBSD.ORG Tue Sep 18 17:03:43 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36C0E16A418 for ; Tue, 18 Sep 2007 17:03:43 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (66-230-99-27-cdsl-rb1.nwc.acsalaska.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id D2B0613C45D for ; Tue, 18 Sep 2007 17:03:42 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 613C41CDEE for ; Tue, 18 Sep 2007 09:03:41 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Tue, 18 Sep 2007 19:03:38 +0200 User-Agent: KMail/1.9.7 References: <001001c7fa08$e04725f0$3202a8c0@glattwerk.local> In-Reply-To: <001001c7fa08$e04725f0$3202a8c0@glattwerk.local> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200709181903.40189.fbsd.questions@rachie.is-a-geek.net> Subject: Re: IPFW entries in /var/log/messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2007 17:03:43 -0000 On Tuesday 18 September 2007 17:30:43 M=E4chler Philippe wrote: > Hello Mel > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Mel > > Sent: Tuesday, September 18, 2007 5:00 PM > > To: freebsd-questions@freebsd.org > > Subject: Re: IPFW entries in /var/log/messages > > > > On Tuesday 18 September 2007 16:38:13 M=E4chler Philippe wrote: > > > Hi Nikos > > > > > > Thanks for your reply. > > > > > > > On Tuesday 18 September 2007 16:05, M=E4chler Philippe wrote: > > > > > Since a few weeks/months we have the following entries in > > the > > > > > > /var/log/messages logfile. > > > > > > > > [] > > > > > > > > > [/var/log/messages] > > > > > Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0 > > > > > Sep 18 10:31:35 ns2 kernel: > > > > > Sep 18 10:58:05 ns2 kernel: 80 > > > > > Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP > > > > > 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18 > > > > > > > > 10:58:14 ns2 > > > > > > > > > kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53 > > > > > > > > 80.242.204.85:65510 > > > > > > > > > out via bge0 > > > > > > > > I can think of two things. > > > > > > > > 1) Is anybody playing with logger(1)? > > > > e.g. > > > > logger -t kernel "Let's play with the administrator..." > > tail > > > > > /var/log/messages > > > > > > I fear ist neither of the two things you mentioned > > > > > > [1] /var/log/auth.log does not show an external nor an > > > > abnormal login. > > > > > And I belive that my workmates wont fool me with stuff like > > this :) > > > > > 2) Are these entries new? Are you sure that they refer > > > > to 2007-09? It can happen. Seeing a message from a year > > back. > > > > > Especially on a low maintenance box. > > > > > > [2] These are actual entries. In the meantime i got a few > > > > new ones... > > > > > Sep 18 16:08:18 ns2 kernel: <11<110>ipfw: 7600 Accept UDP > > > 80.242.205.104:50114 80.242.192.81:53 in via bge0 > > > Sep 18 16:08:18 ns2 kernel: 0>ipfw: 7700 Accept UDP > > > 80.242.192.81:53 80.242.205.104:50111 out via bge0 > > > Sep 18 16:09:42 ns2 kernel: b > > > Sep 18 16:13:42 ns2 kernel: > > > Sep 18 16:23:14 ns2 kernel: > > > Sep 18 16:23:24 ns2 kernel: 8 > > > > > > Sep 18 16:30:49 ns2 kernel: > > > > These looks like classic buffer corruptions, either that or > > you're logging > > part of the raw packet and bytes interpreted as non-printing > > chars like > > return and backspace mangle the output. Can you narrow it > > down to the one > > offending rule? Or is any logging by ipfw this mangled? > > i think i can narrow it down to the following rules but I'm not > sure because it's hard to "decode" the logfile :) > > 07600 55768608 3753625157 allow log udp from any to > 80.242.192.81 dst-port 53 in recv bge0 > > 07700 55329253 10858026114 allow log udp from 80.242.192.81 53 to > any out xmit bge0 > > 08100 5664976 357403678 allow log icmp from any to > 80.242.192.81 icmptypes 0,3,8,11 in recv bge0 keep-state > > Hmm i should change the "allow log" line into "allow" only. No > idea why i log every packet. These look like pretty normal rules, as in they should not create faulty lo= gs.=20 Depending how hammered your server gets, it could be information is lost by= =20 syslog, either way I'd file a PR and/or migrate to pf and see if logging=20 information is still lost (pf doesn't use syslog). =2D-=20 Mel