Shorewall spam at console

Every once in a while my NethServer becomes unresponsive and has to be restarted. Usually after an upgrade. I’ll look into that in a separate topic.

One troubling thing is that whenever I connect into the KVM console (not SSH) I see shorewall spam mixed in with the login messages:

Can anyone tell me why, or how to get rid of it?

Did you connect red and green to the same switch/network?

Shorewall FAQs - Search for “FAQ 85”

You may edit /etc/rsyslog.conf and add the following line on top of the RULES section:

kern.*                     /dev/null

…and restart rsyslog to apply the config:

systemctl restart rsyslog

Thanks for explaining. Unfortunately I’m a bit unfamiliar with the network configuration in NethServer. Last time I tried to modify it to deal with the red / green warnings, I lost access to the server and had to recover via console.

If you have a minute, can you look at the settings below and tell me if there is some issue? Is it a security problem to “connect red and green to the same switch/network”?

The green interface needs a static IP.

It’s a wrong configuration that leads to problems.
What do you want to achieve with connecting red and green to the same network?

Usually, when Nethserver acts as gateway it uses at least a red WAN interface and a green LAN one.
If you want to use Nethserver as server just use the green interface.

Docs:

https://docs.nethserver.org/en/v7/base_system.html#network

I wasn’t intending to do any special configuration. My goal is to just have my NethServer as a standalone server sitting on a VPS. I pretty much just went through the basic setup, and probably accidentally changed some things I should not have changed.

I just read that document page, and it makes me think there is potentially a pretty big security issue then. The green network is currently showing my WAN IP, other than this I only have a disabled blue network.

If I understand correctly, the risk shouldn’t be too big, that WAN is considered “green”, because my NethServer isn’t acting as a firewall or handling networks for any other servers.

However, it seems that it would be best to add a Green interface with a static local IP (like 127.0.0.1 ?) and then change the existing Green interface with my WAN IP to a Red interface. Am I understanding correctly, or will this totally break my server?

There’s a wiki article about creating a virtual green interface on a VPS:

https://wiki.nethserver.org/doku.php?id=virtual_network_interface

Thanks - I’ll separate the network issue into another task.

I tried the Shorewall config and I still get spam. I have also adjusted my main eth (with a WAN IP) to be red and added another green interface for LAN.

image

Thanks to @mrmarkuz for helping figure this one out. I’m doing my hosting on Hetzner, and it seems they do some customizations to the base CentOS image which can conflict with NethServer (more on that later).

The CentOS image on Hetzner makes a change to the standard Kernel logging settings which causes Shorewall messages to be put directly in the console, instead of in /var/log/messages where they belong.

To fix it, edit /etc/sysctl.conf and add this at the end:

kernel.printk = 4 4 1 7

And then activate it by running sysctl -p

2 Likes