7.21. ( Log Reduction ) - My logs are filling up with packet hits due to the new "stronger" rulesets. How can I fix this?

So your realizing that a good firewall is catching a LOT of bad Internet traffic. That's a good thing but it's also filling up your logs to the point that you won't read them; that's bad. What to do?

What you need to figure out is what traffic you DON"T want to log, explicitly match those packets in the firewall, and NOT log the packets when you drop them.

For example, the TrinityOS firewall ruleset in section 10.7 (this would be a "strongest" ruleset in IPMASQ speak) gives some ideas: TrinityOS - Section 10.7

Things I recommend to filter:

  • All RFC1918 address space (TCP/IP address ranges: 10.x.y.z/8, 172.16-31.y.z/12, and 192.168.y.x/16). You should /never/ receive these packets from an Internet connection. If you do, they are most likely spoofed packets

  • Windows File and Print Sharing (Samba or CIFS): ports 137, 138, 139, and 445. Windows machines like to talk a lot though most computers don't care what they're saying.

  • Class-D Multicast addresses (if you don't use Multicast):

  • Class-E and F "future" addresses: and

To a much lesser extent, you might want to filter other packets. I recommend that you verify that you are receiving these specific packet types before you filter them out.

  • RIP (the routing protocol): port 520

  • Some specific forms of ICMP packets - NOT all of them (that will break your machine and IPMASQ in general)

Finally, you'll probably find that some individual TCP/IP address out on the Internet always seem to attack your IP. So, in addition to filtering various PORTS like above, you might want to also filter by specific SOURCE IP address too. After all, it is *YOUR* firewall.

Copyright © 2010-2024 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout