[Fedora-infrastructure-list] epylog reports

Luke Macken lmacken at redhat.com
Tue Oct 17 15:41:52 UTC 2006


On Tue, Oct 17, 2006 at 08:26:26AM -0500, Mike McGrath wrote:
> On 10/17/06, seth vidal <skvidal at linux.duke.edu> wrote:
> >Hey guys,
> > I've been somewhat annoyed by the reports we've been getting. Is there
> >a compelling reason why we need to have invalid connection attempts to
> >proxy* logged? Why don't we just remove the -J LOG call and REJECT the
> >connection normally?
> >
> >We're not going to DO anything about the connection so why not decrease
> >the garbage that we see in the log reports?
> >
> >-sv
> >
> 
> Fine with me, Luke what do you think?

Yeah, that noise definitely needs to stop.  I'll poke around at the
pyroman configs config later tonight and see if I can stop that.

For future reference, all of our firewall configurations are in
'fedora-config/files/DEFAULT/etc/pyroman', and the logging in particular
is 04_log.py.  So feel free to fix up any problems that you see.

This is the chain that is causing the ruckus:

    ## Log dropped packets in a nicer format
    add_chain("USR_drop")
    for state in ("NEW", "ESTABLISHED", "RELATED", "INVALID", "SNAT", "DNAT"):
        iptables("USR_drop", "-m conntrack --ctstate %s -m limit --limit %s --limit-burst %s -j LOG --log-prefix \"CONN=%s \"" % (state, LOGLIMIT, LOGLIMITBURST, state))
    iptables("USR_drop", "-j DROP")

I guess the question is, what *do* we want to log?

luke




More information about the infrastructure mailing list