7.21. ( Log Reduction ) - My logs are filling up with packet hits due to the
new "stronger" rulesets. How can I fix this?
So your realizing that a good firewall is catching a LOT of bad Internet
traffic. That's a good thing but it's also filling up your logs to the point
that you won't read them; that's bad.
What to do?
What you need to figure out is what traffic you DON"T want to log, explicitly
match those packets in the firewall, and NOT log the packets when you drop
them.
For example, the TrinityOS firewall ruleset in section 10.7 (this would be a
"strongest" ruleset in IPMASQ speak) gives some ideas:
TrinityOS - Section 10.7
Things I recommend to filter:
All RFC1918 address space (TCP/IP address ranges: 10.x.y.z/8,
172.16-31.y.z/12, and 192.168.y.x/16). You should /never/ receive these
packets from an Internet connection. If you do, they are most likely spoofed
packets
Windows File and Print Sharing (Samba or CIFS): ports 137, 138, 139,
and 445. Windows machines like to talk a lot though most computers don't care
what they're saying.
Class-D Multicast addresses (if you don't use Multicast): 224.0.0.0/4
Class-E and F "future" addresses: 240.0.0.0/5 and 248.0.0.0/5
To a much lesser extent, you might want to filter other packets. I recommend
that you verify that you are receiving these specific packet types before
you filter them out.
Finally, you'll probably find that some individual TCP/IP address out on the
Internet always seem to attack your IP. So, in addition to filtering various
PORTS like above, you might want to also filter by specific SOURCE IP address
too. After all, it is *YOUR* firewall.