Menu
What's new
By:
Filters Better Search

Optimize blocked events from firewall in the system-log

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

iJorgen

iJorgen

Regular Contributor
Is there any way to make the system-log more clean and efficient regarding blocked events from the firewall? Today lots of info are logged that's not really needed, so by optimizing it around 3 times more entries will fit in the same log-size. Today a blocked entry looks something like this (333 chars):
Code: 
May 15 10:02:56 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=106.225.212.148 DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=41 ID=8109 DF PROTO=TCP SPT=42618 DPT=6379 SEQ=1262446180 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (0CD7E8640GF3B5A7075EBA490000000005768312) MARK=0x8000000

For me something like this is more than enough (108 chars):
Code: 
May 15 10:02:56 kernel: [BLOCKED - INBOUND] SRC=106.225.212.148 DST=xx.xx.xx.xx PROTO=TCP SPT=42618 DPT=6379

Can you change what "kernel" outputs in the system-log or is it hard-coded?!

EDIT: I found some clues in IPTABLES and SkyNet source-code...
Code: 
IPSET-rule:
-A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options

SkyNet:
iptables -t raw -C PREROUTING -i "$iface" -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j LOG --log-prefix "[BLOCKED - INBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null || fail="${fail}#14 "
iptables -t raw -C PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null || fail="${fail}#15 "
 
Last edited:
Those messages are generated by Skynet. You'd have to change the relevant iptables commands in Skynet to a different format. That would probably break Skynet as when it parses those lines it expects them to be in a specific format.
 
dave14305 said:
You can eliminate some of the options in Skynet’s iptables command to reduce the output, but only in a very small way. The only option I would consider removing is —log-tcp-sequence.
Click to expand...
Thanks Dave!! 👍 I see those options in SkyNet Lite too, so that's probably it. Will try...
Code: 
--log-tcp-sequence --log-tcp-options --log-ip-options
dave14305 said:
You can experiment with your own install of Skynet (whatever the Lite Fort Knox edition is). But it may negatively impact any reporting done by the regular Skynet script/GUI.
Click to expand...
It's based on a SkyNet Lite fork by Wbartels: https://github.com/wbartels/IPSet_ASUS_Lite
ColinTaylor said:
Those messages are generated by Skynet. You'd have to change the relevant iptables commands in Skynet to a different format. That would probably break Skynet as when it parses those lines it expects them to be in a specific format.
Click to expand...
Thanks Colin!! I use SkyNet Lite that don't have lots of statistic, so it will probably not break something important. Worth a try... :p
 
I would also get rid of —log-ip-options after further review of the Linux kernel source (that long OPT (…) section).
 
I did some testing and things got a bit cleaner... 👍 I removed the options one by one and now some info at the far right is gone.

Code: 
IN OUT MAC SRC DST LEN TOS PREC TTL ID PROTO SPT DPT SEQ ACK WINDOW RES SYN URGP MARK
IN OUT MAC SRC DST LEN TOS PREC TTL ID PROTO SPT DPT WINDOW RES SYN URGP OPT MARK
IN OUT MAC SRC DST LEN TOS PREC TTL ID PROTO SPT DPT WINDOW RES SYN URGP MARK

What really would save space is to remove MAC-address since it's always the same, but haven't figured out yet where it comes from in the SkyNet-code.
Code: 
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

EDIT: When investigating deeper it seems this default output with the long Mac-address is produced by IPTABLES own logging function containing all these fields and can't be shortened any further without writing a new logging function. Good enough now...
 
Last edited:
You must log in or register to reply here.

Similar threads

J
Skynet Skynet - Blocked outbounds coming from the router itself?
Replies
12
Views
903
JuanGF
J
B
Skynet Outbound blocks
Replies
1
Views
472
BeachGuy
B
P
Skynet show inbound block on Digital TV Vlan300
Replies
4
Views
917
poudenes
P
J
AX86U constantly blocking repeated inbound connections
Replies
7
Views
2K
Tech9
Tech9
E
Need help with system log interpretation
Replies
1
Views
1K
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
L Access to certain IPs in LAN blocked somehow? Asuswrt-Merlin 4
M wan dhcpv6 blocked by firewall Asuswrt-Merlin 2
S Repeated Wi-Fi connection attempts are not fully blocked Asuswrt-Merlin 2
B (solved) Dnscrypt blocked-names.txt automatically deleted upon modification Asuswrt-Merlin 4
J RT-AX88U firmware 3004.388.6_0 internet blocked Asuswrt-Merlin 6
alan6854321 Saved settings and jffs get blocked by Chrome & Windows security Asuswrt-Merlin 13
P AX86U - Logins intermittently blocked Asuswrt-Merlin 13
mattyboolin AT-RX58U Large amount of blocked incoming connections Asuswrt-Merlin 6
saison2023 Any way to diagnose further these dnsmasq restart events? Asuswrt-Merlin 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 513 (members: 21, guests: 492)
Top