What's new

Optimize blocked events from firewall in the system-log

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

iJorgen

Regular Contributor
Is there any way to make the system-log more clean and efficient regarding blocked events from the firewall? Today lots of info are logged that's not really needed, so by optimizing it around 3 times more entries will fit in the same log-size. Today a blocked entry looks something like this (333 chars):
Code:
May 15 10:02:56 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=106.225.212.148 DST=xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=41 ID=8109 DF PROTO=TCP SPT=42618 DPT=6379 SEQ=1262446180 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (0CD7E8640GF3B5A7075EBA490000000005768312) MARK=0x8000000

For me something like this is more than enough (108 chars):
Code:
May 15 10:02:56 kernel: [BLOCKED - INBOUND] SRC=106.225.212.148 DST=xx.xx.xx.xx PROTO=TCP SPT=42618 DPT=6379

Can you change what "kernel" outputs in the system-log or is it hard-coded?!

EDIT: I found some clues in IPTABLES and SkyNet source-code...
Code:
IPSET-rule:
-A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options

SkyNet:
iptables -t raw -C PREROUTING -i "$iface" -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j LOG --log-prefix "[BLOCKED - INBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null || fail="${fail}#14 "
iptables -t raw -C PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options 2>/dev/null || fail="${fail}#15 "
 
Last edited:
Those messages are generated by Skynet. You'd have to change the relevant iptables commands in Skynet to a different format. That would probably break Skynet as when it parses those lines it expects them to be in a specific format.
 
You can eliminate some of the options in Skynet’s iptables command to reduce the output, but only in a very small way. The only option I would consider removing is —log-tcp-sequence.
Thanks Dave!! 👍 I see those options in SkyNet Lite too, so that's probably it. Will try...
Code:
--log-tcp-sequence --log-tcp-options --log-ip-options
You can experiment with your own install of Skynet (whatever the Lite Fort Knox edition is). But it may negatively impact any reporting done by the regular Skynet script/GUI.
It's based on a SkyNet Lite fork by Wbartels: https://github.com/wbartels/IPSet_ASUS_Lite
Those messages are generated by Skynet. You'd have to change the relevant iptables commands in Skynet to a different format. That would probably break Skynet as when it parses those lines it expects them to be in a specific format.
Thanks Colin!! I use SkyNet Lite that don't have lots of statistic, so it will probably not break something important. Worth a try... :p
 
I would also get rid of —log-ip-options after further review of the Linux kernel source (that long OPT (…) section).
 
I did some testing and things got a bit cleaner... 👍 I removed the options one by one and now some info at the far right is gone.

Code:
IN OUT MAC SRC DST LEN TOS PREC TTL ID PROTO SPT DPT SEQ ACK WINDOW RES SYN URGP MARK
IN OUT MAC SRC DST LEN TOS PREC TTL ID PROTO SPT DPT WINDOW RES SYN URGP OPT MARK
IN OUT MAC SRC DST LEN TOS PREC TTL ID PROTO SPT DPT WINDOW RES SYN URGP MARK

What really would save space is to remove MAC-address since it's always the same, but haven't figured out yet where it comes from in the SkyNet-code.
Code:
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

EDIT: When investigating deeper it seems this default output with the long Mac-address is produced by IPTABLES own logging function containing all these fields and can't be shortened any further without writing a new logging function. Good enough now...
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top