iptables firewall doesn't log anymore!

Hi NG!
My firewall doesn't log anymore!
I'm using suse 7.3 on an old 486 and since August, 1st syslog doesn't
seem to write the dropped packets from iptables to /var/log/firewall.
Iptables behaves as usual though, and logs and drops packets like it
did before. I don't know where to look at. Any ideas?

Thanks
Bernd Haller

/etc/syslog.conf 's last line:
kern.* -/var/log/firewall

iptables rules to drop:
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
--log-tcp-sequence --log-tcp-options --log-ip-options
$IPTABLES -A drop-and-log-it -j DROP

/var/log/firewall permissions (ls -al):
-rw-r----- 1 root root 1042397 Aug 1 11:39

df output:
Filesystem Size Used Avail Use% Mounted on
/dev/hda3 647M 561M 53M 92% /



cat /proc/meminfo :
total: used: free: shared: buffers: cached:
Mem: 35287040 34353152 933888 0 3895296 11890688
Swap: 135208960 2043904 133165056
MemTotal: 34460 kB
MemFree: 912 kB
MemShared: 0 kB
Buffers: 3804 kB
Cached: 11076 kB
SwapCached: 536 kB
Active: 9900 kB
Inactive: 6576 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 34460 kB
LowFree: 912 kB
SwapTotal: 132040 kB
SwapFree: 130044 kB

0 wrote:

> My firewall doesn't log anymore!

> /etc/syslog.conf 's last line:
> kern.* -/var/log/firewall

Just a thought, as all the setup You posted seems to be ok...:

Do You "rotate" Your logs in any way? - I do so every 1st of a
month. But then, You have to restart syslogd (like "kill -HUP \
$(pidof syslogd)"). That is because on start-up, syslogd will
translate filenames into filedescriptors and thus, You will have
to trigger that translation after moving/renaming log files.
-- In this case, though, syslogd would keep logging to the old
(now renamed/moved) file. Perhaps You should check that, first.

> iptables rules to drop:
> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j LOG --log-level info
> --log-tcp-sequence --log-tcp-options --log-ip-options
> $IPTABLES -A drop-and-log-it -j DROP
>
> /var/log/firewall permissions (ls -al):
> -rw-r----- 1 root root 1042397 Aug 1 11:39

If, on the other hand, You didn't move or rename the log file,
it _should_ still be logging...

> df output:
> Filesystem Size Used Avail Use% Mounted on
> /dev/hda3 647M 561M 53M 92% /

On a typical ext2 filesystem, You may want to see the comments on
the "-m"-option to mke2fs, tune2fs in their respective manpages.
The default value is 5%, so Your hda3 will be considered full at
95% already. This may be the issue here. Especially if You use "-"
in syslog.conf, try to "sync" manually, and see what You get...


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

> Do You "rotate" Your logs in any way? - I do so every 1st of a
yes, every month like you.

> month. But then, You have to restart syslogd (like "kill -HUP \
> $(pidof syslogd)"). That is because on start-up, syslogd will
well I don't do this by hand: crond does that for me.

>
> On a typical ext2 filesystem, You may want to see the comments on
> the "-m"-option to mke2fs, tune2fs in their respective manpages.
> The default value is 5%, so Your hda3 will be considered full at
> 95% already. This may be the issue here. Especially if You use "-"
> in syslog.conf, try to "sync" manually, and see what You get...

Actually, I tried to sync it manually, but it didn't change anything.
I put the permissions to rw for anyone, nothing. Eventually, I
rebooted and there: it worked again. i still don't understand why this
is needed. I mean: I'm not using windows, damn. This is of course
annoying since I can't know WHEN it stops logging. Or would you advise
me to start using snmp or something similar.

Thanks,
Bernd

0 wrote:
>>Do You "rotate" Your logs in any way? - I do so every 1st of a
>
> yes, every month like you.
>
> well I don't do this by hand: crond does that for me.

Oh, what a good idea... - I'm tired of getting up in the middle of
the night to monitor my servers... -- Just kidding.


> Actually, I tried to sync it manually, but it didn't change anything.
> I put the permissions to rw for anyone, nothing. Eventually, I
> rebooted and there: it worked again. i still don't understand why this
> is needed. I mean: I'm not using windows, damn. This is of course
> annoying since I can't know WHEN it stops logging. Or would you advise
> me to start using snmp or something similar.

Well, I'm guessing here, but I think there are two things that I think
may cause this: Firstly, as said, if You moved the log file without
restarting syslogd, it will keep writing to the moved file rather than
to the new one (note that, IIRC, the new file has to be in place; like
in "mv /var/log/firewall.log /var/log/fw.$YEAR$MONTH.log ; touch \
/var/log/firewall.log ; kill -HUP $(pidof syslogd)").
The second thing would be that there's not enough space left on Your
hd to sync it. "df" reports about 19M free space, and normally the
disk is considered full no matter whether all IO has physically been
done already. So I'm not sure whether this causes Your problem.

Rebooting the linux box does nothing but bring down all processes and
restart them in a predefined manner. So if You messed up some of Your
daemons, You could either restart them by hand one by one, or have
"init" do that for You. There's no need to reboot a linux box unless
You want to run a different kernel.

So, something _does_ cause this. Try removing the leading "-" in
/etc/syslog.conf and see when exactly the logging stops. Check Your
system logs for anything suspicious. This will give You a step by step
approach to the problem.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...