IPFW entries in /var/log/messages

Tue Sep 18 10:03:43 PDT 2007

On Tuesday 18 September 2007 17:30:43 Mächler Philippe wrote:
> Hello Mel
>
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Mel
> > Sent: Tuesday, September 18, 2007 5:00 PM
> > To: freebsd-questions at freebsd.org
> > Subject: Re: IPFW entries in /var/log/messages
> >
> > On Tuesday 18 September 2007 16:38:13 Mächler Philippe wrote:
> > > Hi Nikos
> > >
> > > Thanks for your reply.
> > >
> > > > On Tuesday 18 September 2007 16:05, Mächler Philippe wrote:
> > > > > Since a few weeks/months we have the following entries in
>
> the
>
> > > > > /var/log/messages logfile.
> > > >
> > > > []
> > > >
> > > > > [/var/log/messages]
> > > > > Sep 18 10:23:03 ns2 kernel: .11:2438 out via bge0
> > > > > Sep 18 10:31:35 ns2 kernel:
> > > > > Sep 18 10:58:05 ns2 kernel: 80
> > > > > Sep 18 10:58:14 ns2 kernel: <<110>ipfw: 7600 Accept UDP
> > > > > 80.242.206.245:55041 80.242.192.81:53 in via bge0 Sep 18
> > > >
> > > > 10:58:14 ns2
> > > >
> > > > > kernel: 110>ipfw: 7700 Accept UDP 80.242.192.81:53
> > > >
> > > > 80.242.204.85:65510
> > > >
> > > > > out via bge0
> > > >
> > > > I can think of two things.
> > > >
> > > > 1) Is anybody playing with logger(1)?
> > > > e.g.
> > > > logger -t kernel "Let's play with the administrator..."
>
> tail
>
> > > > /var/log/messages
> > >
> > > I fear ist neither of the two things you mentioned
> > >
> > > [1] /var/log/auth.log does not show an external nor an
> >
> > abnormal login.
> >
> > > And I belive that my workmates wont fool me with stuff like
>
> this :)
>
> > > > 2) Are these entries new? Are you sure that they refer
> > > > to 2007-09? It can happen. Seeing a message from a year
>
> back.
>
> > > > Especially on a low maintenance box.
> > >
> > > [2] These are actual entries. In the meantime i got a few
> >
> > new ones...
> >
> > > Sep 18 16:08:18 ns2 kernel: <11<110>ipfw: 7600 Accept UDP
> > > 80.242.205.104:50114 80.242.192.81:53 in via bge0
> > > Sep 18 16:08:18 ns2 kernel: 0>ipfw: 7700 Accept UDP
> > > 80.242.192.81:53 80.242.205.104:50111 out via bge0
> > > Sep 18 16:09:42 ns2 kernel: b
> > > Sep 18 16:13:42 ns2 kernel:
> > > Sep 18 16:23:14 ns2 kernel:
> > > Sep 18 16:23:24 ns2 kernel: 8
> > >
> > > Sep 18 16:30:49 ns2 kernel:
> >
> > These looks like classic buffer corruptions, either that or
> > you're logging
> > part of the raw packet and bytes interpreted as non-printing
> > chars like
> > return and backspace mangle the output. Can you narrow it
> > down to the one
> > offending rule? Or is any logging by ipfw this mangled?
>
> i think i can narrow it down to the following rules but I'm not
> sure because it's hard to "decode" the logfile :)
>
> 07600 55768608  3753625157 allow log udp from any to
> 80.242.192.81 dst-port 53 in recv bge0
>
> 07700 55329253 10858026114 allow log udp from 80.242.192.81 53 to
> any out xmit bge0
>
> 08100  5664976   357403678 allow log icmp from any to
> 80.242.192.81 icmptypes 0,3,8,11 in recv bge0 keep-state
>
> Hmm i should change the "allow log" line into "allow" only. No
> idea why i log every packet.

These look like pretty normal rules, as in they should not create faulty logs. 
Depending how hammered your server gets, it could be information is lost by 
syslog, either way I'd file a PR and/or migrate to pf and see if logging 
information is still lost (pf doesn't use syslog).

-- 
Mel