From: Tom Eastep [mailto:teas...@shorewall.net]
On 1/6/2014 1:24 PM, Øyvind Lode wrote:
> Yes:
>
> Jan 6 17:03:24 munin logger: Shorewall Stopped
>
> Jan 6 17:04:12 munin kernel: [ 1.029009] r8169 0000:02:00.0 eth0:
> RTL8168d/8
> 111d at 0xffffc90000378000, 48:5b:39:ac:1b:5e, XID 083000c0 IRQ 42
> Jan 6 17:04:12 munin kernel: [ 1.029022] r8169 0000:02:00.0 eth0: jumbo
> feat
> ures [frames: 9200 bytes, tx checksumming: ko]
> Jan 6 17:04:12 munin kernel: [ 1.510458] e1000 0000:01:00.0 eth1:
> (PCI:33MHz
> :32-bit) 00:1b:21:3a:82:66
> Jan 6 17:04:12 munin kernel: [ 1.510475] e1000 0000:01:00.0 eth1:
> Intel(R) P
> RO/1000 Network Connection
> Jan 6 17:04:12 munin kernel: [ 9.201315] r8169 0000:02:00.0 eth0: link
> down
> Jan 6 17:04:12 munin kernel: [ 9.201351] r8169 0000:02:00.0 eth0: link
> down
> Jan 6 17:04:12 munin kernel: [ 9.201379] IPv6: ADDRCONF(NETDEV_UP): eth0:
> li
> nk is not ready
> Jan 6 17:04:12 munin kernel: [ 10.841359] r8169 0000:02:00.0 eth0: link up
> Jan 6 17:04:12 munin kernel: [ 10.841376] IPv6: ADDRCONF(NETDEV_CHANGE):
> eth0
> : link becomes ready
> Jan 6 17:04:12 munin kernel: [ 13.125508] IPv6: ADDRCONF(NETDEV_UP): eth1:
> li
> nk is not ready
> Jan 6 17:04:12 munin kernel: [ 13.149753] e1000: eth1 NIC Link is Up 1000
> Mbp
> s Full Duplex, Flow Control: RX/TX
> Jan 6 17:04:12 munin kernel: [ 13.149911] IPv6: ADDRCONF(NETDEV_CHANGE):
> eth1
Øyvind,
Try placing this entry in /etc/shorewall/stoppedrules:
NOTRACK eth0 - udp 123
That should insure that UDP 123 requests that arrive before the firewall is
started will not create conntrack entries.
____________________
Thanks, but udp 123 requests is still flooding my log when I reboot the fw.
I recompiled shorewall and /etc/shorewall/stoppedrules were included.
Executing conntrack -F removes these requests and all well again.
So, I now just put conntrack -F in rc.local and tested it by rebooting.
I logged in and I see now that only 1 udp 123 request were logged before
conntrack -F were executed by rc.local.
I am at a loss here and this is currently my only solution.
It is much better than manually having to login to the fw to execute conntrack
-F to avoid udp 123 cluttering my logs.
More suggestions is very much appreciated :)
Thanks.
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
