kern (iptable) logs cut off
Greetings, This is on a RedHat 7.3 Box. We were using the latest syslog-ng rpm from redhat and we noticed that upon migration from syslogd to syslog-ng our iptable logs were getting mangled. Here is an exert from syslogd logging of iptables (/var/log/messages): Aug 7 23:41:47 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.217.37 DST=134.129.212.30 LEN=240 TOS=0x00 PREC=0x00 TTL=127 ID=13570 PROTO=UDP SPT=138 DPT=138 LEN=220 Aug 7 23:41:48 smack kernel: IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10095 DF PROTO=TCP SPT=4997 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0 Aug 7 23:41:48 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=12752 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13008 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13264 PROTO=UDP SPT=137 DPT=137 LEN=58 Very nice as you can see. Now, we would love to use syslog-ng but this is from syslog-ng (/var/log/kern): Aug 7 23:38:17 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00: Aug 7 23:38:17 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:19 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:20 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=24.220.215.146 DST=134.129.212.30 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20216 DF PROTO=TCP SPT=2406 DPT=53 WINDOW=2144 RES=0x00 SYN URGP=0 Aug 7 23:38:20 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC= Aug 7 23:38:23 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20 DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=5 ID=6179 PROTO=ICMP TYPE=8 CODE=0 ID=22608 SEQ=17 Aug 7 23:38:23 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC= Aug 7 23:38:24 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:25 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=6213 DF PROTO=TCP SPT=1030 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0 Aug 7 23:38:25 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20 DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=243 ID=6479 PROTO=ICMP TYPE=8 CODE=0 ID=22608 SEQ=255 At the same time I find this!!! Could this be the other part of whats missing above? [root@smack log]# tail -f user Aug 7 23:42:26 smack TO=0x00 PREC=0x00 TTL=127 ID=14587 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:42:37 smack C=UDPT=1 Aug 7 23:42:39 smack 0TL=127 I5998 PROTO=UDP SPT=137 DPT=137 L8 Aug 7 23:42:43 smack 0 PREC=0 TTL=127 ID=18027 PROTO=UDP SPT=17 D37 N= Aug 7 23:42:57 smack =x00L=127D=1826 PROTO=UDP SPT=137 DPT=137N= Aug 7 23:43:05 smack =0x00 TTL7 I14 DF Aug 7 23:43:22 smack O=TCP SPT=4481 DPT=53 WINDOW=16384 RES=0x00 SYN U Aug 7 23:43:24 smack LEN=78 =0x00 PREC=0x00 TTL=127 ID=21968 PROTDP SPT=137 DPT=137 LEN=58 Aug 7 23:43:28 smack T=138 DPT Aug 7 23:43:31 smack T53 W Not to mention some other output going to /var/log/bootup. This output consists of iptable startup information... I have tried every combo of syslog-ng klogd imaginable. I have tried to tinker with the global src using pipes and files for the kernel logging but that got nowhere... Same results. This is experienced using: libol-0.3.3 syslog-ng-1.5.19 syslog-ng-1.5.17-1.i386.rpm The command dmesg gives nice iptables output. So I know it is not iptablse fault. Iptables is configured to log at level 5 for normal dropped packets and log level 5 for other more serious packets. Below is my syslog-ng.conf file. Thank you for any help!!! I need to work on the firewall and it is hard with no logs.. :( Thanks again, Caylan Van Larson --SNIP Here is my syslog-ng.conf: # This file should be compatible with the out-of-the-box # /etc/syslog.conf on Red Hat Linux # global options # options { use_dns(yes); use_fqdn(no); use_time_recvd(no); chain_hostnames(no); mark(0); sync(0); }; # sources # source s_all { internal(); unix-stream("/dev/log"); file("/proc/kmsg"); }; # facility filters # filter f_authpriv { facility(authpriv); }; filter f_auth { facility(auth); }; filter f_boot { facility(local7); }; filter f_2511 { facility(local5); }; filter f_6509-1-log { facility(local4); }; filter f_6509-2-log { facility(local3); }; filter f_cron { facility(cron); }; filter f_kern { facility(kern); }; filter f_user { facility(user); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_daemon { facility(daemon); }; filter f_messages { priority(info..emerg) and not facility(mail, news, authpriv, cron, local1, local2, local3, local4, local5, local6); }; filter f_news { facility(news); }; # priority filters # filter f_emerg { priority(emerg); }; filter f_crit { priority(crit..emerg); }; filter f_crit_only { priority(crit); }; filter f_err { priority(err..emerg); }; filter f_err_only { priority(err); }; filter f_warn { priority(warning..emerg); }; filter f_notice { priority(notice..emerg); }; filter f_info { priority(info..emerg); }; filter f_debug { priority(debug..emerg); }; # host filters # filter f_smack { host(smack); }; #destination filters # # *network* destination d_tcp { tcp("134.129.212.33"); }; destination d_udp { udp("134.129.212.33"); }; # *everyone* destination d_all { usertty("*"); }; # *console* destination d_console { file("/dev/console"); }; # *boot* destination d_smacboot { file("/var/log/bootlog"); }; # *cron* destination d_smaccron { file("/var/log/cron"); }; # *mail* destination d_smacmail { file("/var/log/maillog"); }; # *messages* destination d_smacmsg { file("/var/log/messages"); }; # *secure (auth & authpriv)* destination d_smacsec { file("/var/log/secure"); }; # *user* destination d_smacuser { file("/var/log/user"); }; # *kern* destination d_smackern { file("/var/log/kern"); }; # *daemon* destination d_smacdaemon { file("/var/log/daemon"); }; # *spool (lpr)* destination d_smacspool { file("/var/log/spooler"); }; #Everyone gets emergency messages log { source(s_all); filter(f_emerg); destination(d_all); }; #Log messages from Smack log { source(s_all); filter(f_cron); filter(f_debug); filter(f_smack); destination(d_smaccron); destination(d_tcp); }; log { source(s_all); filter(f_authpriv); filter(f_debug); filter(f_smack); destination(d_smacsec); destination(d_tcp); }; log { source(s_all); filter(f_mail); filter(f_warn); filter(f_smack); destination(d_smacmail); destination(d_tcp); }; log { source(s_all); filter(f_boot); filter(f_debug); filter(f_smack);destination(d_smacboot); destination(d_tcp); }; # fw-iptables logs at NOTICE <5> (fragments/unknown protocols) and INFO <6> (known udp/tcp/icmp) # This line will log ALL of kern locally log { source(s_all); filter(f_kern); filter(f_messages); filter(f_debug); filter(f_smack); destination(d_smackern); }; # This line will only remotely log NOTICE <5> and above (5,4,3,2,1,0) log { source(s_all); filter(f_kern); filter(f_messages); filter(f_notice); filter(f_smack); destination(d_tcp); }; log { source(s_all); filter(f_user); filter(f_debug); filter(f_smack); destination(d_smacuser); destination(d_tcp); }; log { source(s_all); filter(f_lpr); filter(f_debug); filter(f_smack); destination(d_smacspool); destination(d_tcp); }; log { source(s_all); filter(f_daemon); filter(f_notice); filter(f_smack); destination(d_smacdaemon); destination(d_tcp); }; --SNAP Whew Thanks, Caylan Van Larson Unix Administrator - Systems Team Member University of North Dakota (Aerospace College) caylan@cs.und.edu 701-777-6151 (work)
What are you using for your match statement for iptables. I use match("IN=") with no problem. ----- Original Message ----- From: "Caylan Van Larson" <caylan@cs.und.edu> To: <syslog-ng@lists.balabit.hu> Sent: Wednesday, August 07, 2002 10:03 PM Subject: [syslog-ng]kern (iptable) logs cut off
Greetings,
This is on a RedHat 7.3 Box.
We were using the latest syslog-ng rpm from redhat and we noticed that upon migration from syslogd to syslog-ng our iptable logs were getting mangled.
Here is an exert from syslogd logging of iptables (/var/log/messages):
Aug 7 23:41:47 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.217.37 DST=134.129.212.30 LEN=240 TOS=0x00 PREC=0x00 TTL=127 ID=13570 PROTO=UDP SPT=138 DPT=138 LEN=220 Aug 7 23:41:48 smack kernel: IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10095 DF PROTO=TCP SPT=4997 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0 Aug 7 23:41:48 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=12752 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13008 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13264 PROTO=UDP SPT=137 DPT=137 LEN=58
Very nice as you can see.
Now, we would love to use syslog-ng but this is from syslog-ng (/var/log/kern):
Aug 7 23:38:17 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00: Aug 7 23:38:17 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:19 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:20 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=24.220.215.146 DST=134.129.212.30 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20216 DF PROTO=TCP SPT=2406 DPT=53 WINDOW=2144 RES=0x00 SYN URGP=0 Aug 7 23:38:20 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC= Aug 7 23:38:23 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20 DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=5 ID=6179 PROTO=ICMP TYPE=8 CODE=0 ID=22608 SEQ=17 Aug 7 23:38:23 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC= Aug 7 23:38:24 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:25 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=6213 DF PROTO=TCP SPT=1030 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0 Aug 7 23:38:25 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20 DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=243 ID=6479 PROTO=ICMP TYPE=8 CODE=0 ID=22608 SEQ=255
At the same time I find this!!! Could this be the other part of whats missing above?
[root@smack log]# tail -f user Aug 7 23:42:26 smack TO=0x00 PREC=0x00 TTL=127 ID=14587 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:42:37 smack C=UDPT=1 Aug 7 23:42:39 smack 0TL=127 I5998 PROTO=UDP SPT=137 DPT=137 L8 Aug 7 23:42:43 smack 0 PREC=0 TTL=127 ID=18027 PROTO=UDP SPT=17 D37 N= Aug 7 23:42:57 smack =x00L=127D=1826 PROTO=UDP SPT=137 DPT=137N= Aug 7 23:43:05 smack =0x00 TTL7 I14 DF Aug 7 23:43:22 smack O=TCP SPT=4481 DPT=53 WINDOW=16384 RES=0x00 SYN U Aug 7 23:43:24 smack LEN=78 =0x00 PREC=0x00 TTL=127 ID=21968 PROTDP SPT=137 DPT=137 LEN=58 Aug 7 23:43:28 smack T=138 DPT Aug 7 23:43:31 smack T53 W
Not to mention some other output going to /var/log/bootup. This output consists of iptable startup information...
I have tried every combo of syslog-ng klogd imaginable. I have tried to tinker with the global src using pipes and files for the kernel logging but that got nowhere... Same results.
This is experienced using: libol-0.3.3 syslog-ng-1.5.19
syslog-ng-1.5.17-1.i386.rpm
The command dmesg gives nice iptables output. So I know it is not iptablse fault. Iptables is configured to log at level 5 for normal dropped packets and log level 5 for other more serious packets.
Below is my syslog-ng.conf file.
Thank you for any help!!! I need to work on the firewall and it is hard with no logs.. :(
Thanks again,
Caylan Van Larson
--SNIP Here is my syslog-ng.conf:
# This file should be compatible with the out-of-the-box # /etc/syslog.conf on Red Hat Linux # global options # options { use_dns(yes); use_fqdn(no); use_time_recvd(no); chain_hostnames(no); mark(0); sync(0); };
# sources # source s_all { internal(); unix-stream("/dev/log"); file("/proc/kmsg"); };
# facility filters # filter f_authpriv { facility(authpriv); }; filter f_auth { facility(auth); }; filter f_boot { facility(local7); }; filter f_2511 { facility(local5); }; filter f_6509-1-log { facility(local4); }; filter f_6509-2-log { facility(local3); }; filter f_cron { facility(cron); }; filter f_kern { facility(kern); }; filter f_user { facility(user); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_daemon { facility(daemon); }; filter f_messages { priority(info..emerg) and not facility(mail, news, authpriv, cron, local1, local2, local3, local4, local5, local6); }; filter f_news { facility(news); };
# priority filters # filter f_emerg { priority(emerg); }; filter f_crit { priority(crit..emerg); }; filter f_crit_only { priority(crit); }; filter f_err { priority(err..emerg); }; filter f_err_only { priority(err); }; filter f_warn { priority(warning..emerg); }; filter f_notice { priority(notice..emerg); }; filter f_info { priority(info..emerg); }; filter f_debug { priority(debug..emerg); };
# host filters # filter f_smack { host(smack); };
#destination filters # # *network* destination d_tcp { tcp("134.129.212.33"); }; destination d_udp { udp("134.129.212.33"); }; # *everyone* destination d_all { usertty("*"); }; # *console* destination d_console { file("/dev/console"); }; # *boot* destination d_smacboot { file("/var/log/bootlog"); }; # *cron* destination d_smaccron { file("/var/log/cron"); }; # *mail* destination d_smacmail { file("/var/log/maillog"); }; # *messages* destination d_smacmsg { file("/var/log/messages"); }; # *secure (auth & authpriv)* destination d_smacsec { file("/var/log/secure"); }; # *user* destination d_smacuser { file("/var/log/user"); }; # *kern* destination d_smackern { file("/var/log/kern"); }; # *daemon* destination d_smacdaemon { file("/var/log/daemon"); }; # *spool (lpr)* destination d_smacspool { file("/var/log/spooler"); };
#Everyone gets emergency messages log { source(s_all); filter(f_emerg); destination(d_all); };
#Log messages from Smack log { source(s_all); filter(f_cron); filter(f_debug); filter(f_smack); destination(d_smaccron); destination(d_tcp); }; log { source(s_all); filter(f_authpriv); filter(f_debug); filter(f_smack); destination(d_smacsec); destination(d_tcp); }; log { source(s_all); filter(f_mail); filter(f_warn); filter(f_smack); destination(d_smacmail); destination(d_tcp); }; log { source(s_all); filter(f_boot); filter(f_debug); filter(f_smack);destination(d_smacboot); destination(d_tcp); };
# fw-iptables logs at NOTICE <5> (fragments/unknown protocols) and INFO <6> (known udp/tcp/icmp) # This line will log ALL of kern locally log { source(s_all); filter(f_kern); filter(f_messages); filter(f_debug); filter(f_smack); destination(d_smackern); };
# This line will only remotely log NOTICE <5> and above (5,4,3,2,1,0) log { source(s_all); filter(f_kern); filter(f_messages); filter(f_notice); filter(f_smack); destination(d_tcp); };
log { source(s_all); filter(f_user); filter(f_debug); filter(f_smack); destination(d_smacuser); destination(d_tcp); }; log { source(s_all); filter(f_lpr); filter(f_debug); filter(f_smack); destination(d_smacspool); destination(d_tcp); }; log { source(s_all); filter(f_daemon); filter(f_notice); filter(f_smack); destination(d_smacdaemon); destination(d_tcp); }; --SNAP
Whew Thanks,
Caylan Van Larson Unix Administrator - Systems Team Member University of North Dakota (Aerospace College) caylan@cs.und.edu 701-777-6151 (work)
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
On Thu, Aug 08, 2002 at 12:03:59AM -0500, Caylan Van Larson wrote:
Greetings,
This is on a RedHat 7.3 Box.
We were using the latest syslog-ng rpm from redhat and we noticed that upon migration from syslogd to syslog-ng our iptable logs were getting mangled.
Here is an exert from syslogd logging of iptables (/var/log/messages):
Aug 7 23:41:47 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.217.37 DST=134.129.212.30 LEN=240 TOS=0x00 PREC=0x00 TTL=127 ID=13570 PROTO=UDP SPT=138 DPT=138 LEN=220 Aug 7 23:41:48 smack kernel: IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=10095 DF PROTO=TCP SPT=4997 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0 Aug 7 23:41:48 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=12752 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13008 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:41:49 smack kernel: IPTABLES UDP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.220.175 DST=134.129.212.30 LEN=78 TOS=0x00 PREC=0x00 TTL=127 ID=13264 PROTO=UDP SPT=137 DPT=137 LEN=58
Very nice as you can see.
Now, we would love to use syslog-ng but this is from syslog-ng (/var/log/kern):
Aug 7 23:38:17 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00: Aug 7 23:38:17 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:19 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:20 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=24.220.215.146 DST=134.129.212.30 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=20216 DF PROTO=TCP SPT=2406 DPT=53 WINDOW=2144 RES=0x00 SYN URGP=0 Aug 7 23:38:20 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC= Aug 7 23:38:23 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20 DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=5 ID=6179 PROTO=ICMP TYPE=8 CODE=0 ID=22608 SEQ=17 Aug 7 23:38:23 smack IPTABLES UDP-IN: IN=eth1 OUT= MAC= Aug 7 23:38:24 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03: Aug 7 23:38:25 smack IPTABLES TCP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=134.129.201.29 DST=134.129.212.30 LEN=60 TOS=0x00 PREC=0x00 TTL=61 ID=6213 DF PROTO=TCP SPT=1030 DPT=53 WINDOW=32120 RES=0x00 SYN URGP=0 Aug 7 23:38:25 smack IPTABLES ICMP-IN: IN=eth1 OUT= MAC=00:03:47:4e:32:44:00:05:01:fb:e3:fc:08:00 SRC=192.36.148.20 DST=134.129.212.30 LEN=52 TOS=0x00 PREC=0x00 TTL=243 ID=6479 PROTO=ICMP TYPE=8 CODE=0 ID=22608 SEQ=255
At the same time I find this!!! Could this be the other part of whats missing above?
[root@smack log]# tail -f user Aug 7 23:42:26 smack TO=0x00 PREC=0x00 TTL=127 ID=14587 PROTO=UDP SPT=137 DPT=137 LEN=58 Aug 7 23:42:37 smack C=UDPT=1 Aug 7 23:42:39 smack 0TL=127 I5998 PROTO=UDP SPT=137 DPT=137 L8 Aug 7 23:42:43 smack 0 PREC=0 TTL=127 ID=18027 PROTO=UDP SPT=17 D37 N= Aug 7 23:42:57 smack =x00L=127D=1826 PROTO=UDP SPT=137 DPT=137N= Aug 7 23:43:05 smack =0x00 TTL7 I14 DF Aug 7 23:43:22 smack O=TCP SPT=4481 DPT=53 WINDOW=16384 RES=0x00 SYN U Aug 7 23:43:24 smack LEN=78 =0x00 PREC=0x00 TTL=127 ID=21968 PROTDP SPT=137 DPT=137 LEN=58 Aug 7 23:43:28 smack T=138 DPT Aug 7 23:43:31 smack T53 W
Thanks for the report. Others has also reported message mangling so far I was not able to reproduce it. I'll try to fix this ASAP. (and this time I really mean it ;) -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Balazs Scheidler
-
Caylan Van Larson
-
Jim Gifford