[Tfug] Muting Firewall Kernel Log Messages

Mon Oct 22 01:43:48 MST 2012

Hi John,

On 10/22/2012 1:14 AM, John Gruenenfelder wrote:
> Until recently I did not have any sort of firewall on my laptop, even
> an extremely basic one.  I didn't think it was particularly important
> since I am not running anything that can be remotely accessed except
> SSH.  For completeness sake, though, I decided to install the Debian
> uif package which makes creating even a moderately complex firewall
> very easy.  My needs were simpler still, so setting it up wasn't a
> problem.
>
> Now, however, just having *a* firewall in place results in a number of
> additional issues being logged.  In particular, I seem to get the
> following at a rate of perhaps 15-20 per hour, with at least 95% on
> port 443 and the remainder on port 80:
>
> [160984.126015] FW INVALID STATE: IN=wlan0 OUT= MAC=wlan0-MAC-addr
> SRC=74.125.224.164 DST=192.168.1.130 LEN=40 TOS=0x00 PREC=0x00 TTL=55
> ID=52826 PROTO=TCP SPT=443 DPT=36285 WINDOW=0 RES=0x00 RST URGP=0
>
> I'm not entirely sure what is causing this, but the only port 443
> connection that I have up virtually all the time is a browser tab for
> GMail. Looking at the SRC addresses shows that they come from a number
> of locations.  Usually the same SRC will cause several messages in a
> row, then another IP for a few messages, then another, and so on.

I suspect something probing your host to see if you have a web
service (http/https) running.  I noticed that when I used to
post to USENET, a google server would routinely take a poke
*back* at me shortly after each post.  I.e., reading my posts,
extracting my "from" host, user name, etc. and then looking
around on that host for "common" locations for "my" web pages
(which were never found because I published from an atypical
URL  :> )

> I'm not really concerned about this, rather I'm more interested, as
> the subject says, in finding a method to mute these things.  I often
> peer at the 'dmesg' output looking for various actual errors or status
> messages and these things are clogging up the output.
>
> Any ideas on how to mute them, or ideas on how to actually correct
> what is causing them so they go away in the "proper" manner?  Thanks!

If you are sure you want to silence them, perhaps adjust the "loglevel"
parameter?

Do you know what "facility" it is logging as?  If so, you can
possibly route those messages to some *other* log file to keep
them out of your hair -- yet leave them available for scrutiny
should you ever need to do so.

E.g., I run with a separate log file for each facility (set to
a very verbose level but newsyslog.conf(5) configured to compress
and turn them over frequently).  I also run a separate log file
for each log *level* (with the same newsyslog.conf caveat).  So,
I can quickly look at all ".emerg" messages (regardless of
facility) *or* all "auth" messages (regardless of severity).

[All this in addition to the normal "nominal" logging]

HTH,
--don