Hey guys, I've been somewhat annoyed by the reports we've been getting. Is there a compelling reason why we need to have invalid connection attempts to proxy* logged? Why don't we just remove the -J LOG call and REJECT the connection normally?
We're not going to DO anything about the connection so why not decrease the garbage that we see in the log reports?
-sv
On 10/17/06, seth vidal skvidal@linux.duke.edu wrote:
Hey guys, I've been somewhat annoyed by the reports we've been getting. Is there a compelling reason why we need to have invalid connection attempts to proxy* logged? Why don't we just remove the -J LOG call and REJECT the connection normally?
We're not going to DO anything about the connection so why not decrease the garbage that we see in the log reports?
-sv
Fine with me, Luke what do you think?
-Mike
On Tue, Oct 17, 2006 at 08:26:26AM -0500, Mike McGrath wrote:
On 10/17/06, seth vidal skvidal@linux.duke.edu wrote:
Hey guys, I've been somewhat annoyed by the reports we've been getting. Is there a compelling reason why we need to have invalid connection attempts to proxy* logged? Why don't we just remove the -J LOG call and REJECT the connection normally?
We're not going to DO anything about the connection so why not decrease the garbage that we see in the log reports?
-sv
Fine with me, Luke what do you think?
Yeah, that noise definitely needs to stop. I'll poke around at the pyroman configs config later tonight and see if I can stop that.
For future reference, all of our firewall configurations are in 'fedora-config/files/DEFAULT/etc/pyroman', and the logging in particular is 04_log.py. So feel free to fix up any problems that you see.
This is the chain that is causing the ruckus:
## Log dropped packets in a nicer format add_chain("USR_drop") for state in ("NEW", "ESTABLISHED", "RELATED", "INVALID", "SNAT", "DNAT"): iptables("USR_drop", "-m conntrack --ctstate %s -m limit --limit %s --limit-burst %s -j LOG --log-prefix "CONN=%s "" % (state, LOGLIMIT, LOGLIMITBURST, state)) iptables("USR_drop", "-j DROP")
I guess the question is, what *do* we want to log?
luke
On Tue, 2006-10-17 at 11:41 -0400, Luke Macken wrote:
On Tue, Oct 17, 2006 at 08:26:26AM -0500, Mike McGrath wrote:
On 10/17/06, seth vidal skvidal@linux.duke.edu wrote:
Hey guys, I've been somewhat annoyed by the reports we've been getting. Is there a compelling reason why we need to have invalid connection attempts to proxy* logged? Why don't we just remove the -J LOG call and REJECT the connection normally?
We're not going to DO anything about the connection so why not decrease the garbage that we see in the log reports?
-sv
Fine with me, Luke what do you think?
Yeah, that noise definitely needs to stop. I'll poke around at the pyroman configs config later tonight and see if I can stop that.
For future reference, all of our firewall configurations are in 'fedora-config/files/DEFAULT/etc/pyroman', and the logging in particular is 04_log.py. So feel free to fix up any problems that you see.
This is the chain that is causing the ruckus:
## Log dropped packets in a nicer format add_chain("USR_drop") for state in ("NEW", "ESTABLISHED", "RELATED", "INVALID", "SNAT", "DNAT"): iptables("USR_drop", "-m conntrack --ctstate %s -m limit --limit %s --limit-burst %s -j LOG --log-prefix \"CONN=%s \"" % (state, LOGLIMIT, LOGLIMITBURST, state)) iptables("USR_drop", "-j DROP")
I guess the question is, what *do* we want to log?
Do we care? If the packet is being dropped does it matter if we know about it?
If we have a problem with a service breaking then we can turn on the logging and track it down - but if things are working why not just leave it off?
-sv
On 10/17/06, seth vidal skvidal@linux.duke.edu wrote:
On Tue, 2006-10-17 at 11:41 -0400, Luke Macken wrote:
On Tue, Oct 17, 2006 at 08:26:26AM -0500, Mike McGrath wrote:
On 10/17/06, seth vidal skvidal@linux.duke.edu wrote:
Hey guys, I've been somewhat annoyed by the reports we've been getting. Is there a compelling reason why we need to have invalid connection attempts to proxy* logged? Why don't we just remove the -J LOG call and REJECT the connection normally?
We're not going to DO anything about the connection so why not decrease the garbage that we see in the log reports?
-sv
Fine with me, Luke what do you think?
Yeah, that noise definitely needs to stop. I'll poke around at the pyroman configs config later tonight and see if I can stop that.
For future reference, all of our firewall configurations are in 'fedora-config/files/DEFAULT/etc/pyroman', and the logging in particular is 04_log.py. So feel free to fix up any problems that you see.
This is the chain that is causing the ruckus:
## Log dropped packets in a nicer format add_chain("USR_drop") for state in ("NEW", "ESTABLISHED", "RELATED", "INVALID", "SNAT", "DNAT"): iptables("USR_drop", "-m conntrack --ctstate %s -m limit --limit %s --limit-burst %s -j LOG --log-prefix \"CONN=%s \"" % (state, LOGLIMIT, LOGLIMITBURST, state)) iptables("USR_drop", "-j DROP")
I guess the question is, what *do* we want to log?
Do we care? If the packet is being dropped does it matter if we know about it?
If we have a problem with a service breaking then we can turn on the logging and track it down - but if things are working why not just leave it off?
-sv
I agree with Seth, It'd be nice to track all this stuff and put it in a separate log file that we can parse and graph and monitor but I don't think we have the resources to really do that yet. Maybe if we get some budget for an IDS box or something :)
-Mike
seth vidal wrote:
Do we care? If the packet is being dropped does it matter if we know about it?
If we have a problem with a service breaking then we can turn on the logging and track it down - but if things are working why not just leave it off?
I also agree. The less noise we need to pick through from the epylog reports will make it that much easier to notice issues we do need to act on.
--Jeffrey
On Tue, Oct 17, 2006 at 12:09:55PM -0400, seth vidal wrote:
On Tue, 2006-10-17 at 11:41 -0400, Luke Macken wrote:
On Tue, Oct 17, 2006 at 08:26:26AM -0500, Mike McGrath wrote:
On 10/17/06, seth vidal skvidal@linux.duke.edu wrote:
Hey guys, I've been somewhat annoyed by the reports we've been getting. Is there a compelling reason why we need to have invalid connection attempts to proxy* logged? Why don't we just remove the -J LOG call and REJECT the connection normally?
We're not going to DO anything about the connection so why not decrease the garbage that we see in the log reports?
-sv
Fine with me, Luke what do you think?
Yeah, that noise definitely needs to stop. I'll poke around at the pyroman configs config later tonight and see if I can stop that.
For future reference, all of our firewall configurations are in 'fedora-config/files/DEFAULT/etc/pyroman', and the logging in particular is 04_log.py. So feel free to fix up any problems that you see.
This is the chain that is causing the ruckus:
## Log dropped packets in a nicer format add_chain("USR_drop") for state in ("NEW", "ESTABLISHED", "RELATED", "INVALID", "SNAT", "DNAT"): iptables("USR_drop", "-m conntrack --ctstate %s -m limit --limit %s --limit-burst %s -j LOG --log-prefix \"CONN=%s \"" % (state, LOGLIMIT, LOGLIMITBURST, state)) iptables("USR_drop", "-j DROP")
I guess the question is, what *do* we want to log?
Do we care? If the packet is being dropped does it matter if we know about it?
If we have a problem with a service breaking then we can turn on the logging and track it down - but if things are working why not just leave it off?
Works for me. I added a LOGGING variable to 04_log.py, and set it to False by default. We can flip this on later if we need it.
luke
infrastructure@lists.fedoraproject.org