Avoid filling up syslog with useless firewall messages

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
Post Reply
User avatar
xenopeek
Level 25
Level 25
Posts: 25099
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Avoid filling up syslog with useless firewall messages

Post by xenopeek »

When using UFW (the default firewall for all Linux Mint editions except for LMDE) your /var/log/syslog can quickly fill up with useless firewall messages such as the following (this is one line, but wrapped in output here):
Sep 2 21:42:47 machine kernel: [45908.536890] [UFW BLOCK] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=40487 PROTO=2
On my machine this is logged every two minutes, making it harder to find messages of actual importance in the syslog. The clue of this message is highlighted in red; it is just your router trying to discover what machines on the network support multicast (see Wikipedia).

It is harmless traffic, but if you prefer to keep your syslog clear of this you can do so by adding a rule to UFW:

Code: Select all

sudo ufw deny in to 224.0.0.1
This is only useful if you have enabled UFW. You can check the status of UFW:

Code: Select all

sudo ufw status verbose
It should report similar as below highlighted in red:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To Action From
-- ------ ----
224.0.0.1 DENY IN Anywhere
Image
User avatar
blueicetwice
Level 2
Level 2
Posts: 90
Joined: Wed May 25, 2016 8:12 am

Re: Avoid filling up syslog with useless firewall messages

Post by blueicetwice »

Tanks for the tip Zenopeek. Rule added to firewall.
fabien85
Level 7
Level 7
Posts: 1823
Joined: Tue Mar 11, 2014 4:30 pm

Re: Avoid filling up syslog with useless firewall messages

Post by fabien85 »

Hi xenopeek,
in my logs, I see that ufw blocks wifi traffic with destination DST=224.0.0.251.
If I'm not mistaken, this is also a multicast address.
Also I stumbled upon this arch wiki thread : https://bbs.archlinux.org/viewtopic.php?id=212452 that says (at the end) that it would be better to allow that multicast traffic rather than deny it.
So here are my questions :
- if I want to cover the whole address range 224.0.0.0 to 224.0.0.255 I should use the expression 224.0.0.0/24 right ?
(I try to follow https://en.wikipedia.org/wiki/Classless ... IDR_blocks but I'm not perfectly sure)
- so if I want to allow multicast from the router, I should go with

Code: Select all

sudo ufw allow in from 192.168.1.1 to 224.0.0.0/24
right ?
- what's your take on allowing vs denying ?
- I see that the router is not the only device multicasting. Should I allow (or deny) anything multicasting on the LAN ?
e.g. with

Code: Select all

sudo ufw allow in from 192.168.1.0/26 to 224.0.0.0/24
(where, if I'm correct, 192.168.1.0/26 stands for anything in the range 192.168.1.0 to 192.168.1.63)
User avatar
Pjotr
Level 22
Level 22
Posts: 16192
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Avoid filling up syslog with useless firewall messages

Post by Pjotr »

Better yet (for approximately 99.9 % of the Mint users):

Code: Select all

sudo ufw logging off
Fire and forget; just nuke all UFW logging. Been doing this on all of my Mint installations for the past year or so. I never did read anything of those spammy UFW logs anyway. Good riddance to something which is bad rubbish for roughly 99.9 % of all Mint users.
Tip: 10 things to do after installing Linux Mint 20.1 Ulyssa
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
fabien85
Level 7
Level 7
Posts: 1823
Joined: Tue Mar 11, 2014 4:30 pm

Re: Avoid filling up syslog with useless firewall messages

Post by fabien85 »

Indeed it's probably okay for laptops and single-user desktops.
I also have a small server, where I want to keep logging legitimate ufw blocks.
Digging a bit, I found this interesting : https://askubuntu.com/questions/10836/i ... t-of-dmesg
so it is possible to prevent ufw from logging to /var/log/kern.log , but it does not work for dmesg.
For dmesg you can grep -v UFW.
1000
Level 4
Level 4
Posts: 235
Joined: Wed Jul 29, 2020 2:14 am

Re: Avoid filling up syslog with useless firewall messages

Post by 1000 »

I have in the gufw setting "logging low level"
And my UFW collects only opening of the gufw :mrgreen:

Code: Select all

[01/02/2021 10:17:47] Profile with changed name: Home> Home
[01/02/2021 10:17:47] Profile renamed: Public> Public
[01/02/2021 10:17:47] Profile with the changed name: Office> Office
[26/12/2020 00:49:18] Profile with changed name: Home> Home
[26.12.2020 00:49:18] Profile with the changed name: Public> Public
[26.12.2020 00:49:18] Profile with the changed name: Office> Office
More seriously
... it is possible to prevent ufw from logging to /var/log/kern.log , but it does not work for dmesg.
It looks like a bug.

Even if it always will work, this will not prevent you from spam in dmesg.
For more advanced stuff, I recommend playing with iptables.
Maybe someone will give example ready firewall with explanations of what and how works?
And with script to test this rules with firewall in practice?

Maybe

Code: Select all

 -m connlimit --connlimit-above 
will work with

Code: Select all

 --log-prefix "IPTABLES:Limit_log " -m comment --comment "IPTABLES:Limit_log "
Maybe

Code: Select all

-m limit --limit 2/min -j LOG --log-prefix "IPTables:Limit_log: " --log-level 4  -m comment --comment "IPTABLES:Limit_log "
Post Reply

Return to “Tutorials”