Firewall – prevent some of the UFW messages from being logged

firewallloggingrsyslogufw

My router broadcasts (sends to 224.0.0.1) something every forty seconds. This is caught by UFW which stores a log entry in syslog:

Jan 5 03:49:02 log kernel: [ 1184.788900] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:40:5a:9b:5c:9c:fd:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x80 TTL=1 ID=0 DF PROTO=2

I am about to set up a syslog server which will collect messages from each of network's 50 machines. Polluting the syslog with 50 messages every forty seconds annoys me, and the router itself is unfortunately not configurable.

Is there a way to prevent those particular messages (filtered by source and destination) to be logged, while still logging other entries which are blocked by the firewall?

Best Answer

Yes.

For rsyslog, you can use a filter such as:

:msg, contains, "MAC=01:00:5e:00:00:01:40:5a:9b:5c:9c:fd:08:00 SRC=192.168.1.1 D ST=224.0.0.1" ~

If you put it before other configuration rules, it will prevent the messages from being logged. You can see a full example of a configuration file here.

Note that the text “must be an exact match, wildcards are not supported.”
For syslog-ng, use some variation of the filters, with a not message('someregex') in your filter.

Related Solutions

UFW Logging – Why Are Blocked Requests Logged on Open Port?

Notice that your packet has both the FIN and ACK bits set. This is the last packet that the remote host sends in the TCP tear down (end of connection) procedure.

What happens is, when your host has finished sending it sets the FIN and ACK flags on the last packet. The remote hosts sends a packet with ACK set followed by a packet with FIN and ACK set.

Local          remote
FIN ACK ---->
        <----  ACK
        <----  FIN ACK (?optional?)
ACK     ----->

In practice, the remotes FIN ACK is considered optional so the netfilter firewall will flush it's connection table when it sees the ACK so when the FIN ACK packet arrives it has no associated connection and is dropped.

UFW blocking port 80 when it should not

I spent a significant amount of time trying to troubleshoot this problem. The involvement of UFW was a symptom of the real problem and not the cause. I found a solution so I didn't want to leave the question unanswered.

I discovered that for a reason I cannot yet explain syncookies were disabled on the apache servers behind the load balancer:

# sysctl -a | grep syncookies
net.ipv4.tcp_syncookies = 0

The reason I cannot explain this is that it is set to 1 in the default Centos6 /etc/sysctl.conf file. That is a separate issue for me to figure out.

You can read more about syn cookies here:

http://en.wikipedia.org/wiki/SYN_cookies

These are relatively busy servers that handle a lot of connections. My best guess is that enabling UFW (and thus enabling iptables) slowed things down just enough for the syn queue to fill up and without syncookies on connections started getting refused.

Best Answer

Related Solutions

UFW Logging – Why Are Blocked Requests Logged on Open Port?

UFW blocking port 80 when it should not

Related Topic