Re: Where is /dev/console in F8? --> iptables denial of nfs connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

--- "Kevin J. Cummings" <cummings@xxxxxxxxxxxxxxxxxx> wrote:

> Bob Kinney wrote:
> > --- Bob Kinney <bc98kinney@xxxxxxxxx> wrote:
> > OK, I figured out that xconsole will provide a console window, though I'm 
> > surprised that there isn't a default output for it.
> 
> IIRC, by default, /dev/console is VC1, because that's the console that
> the system boots up on.  If you Ctrl-Alt-F1, do you see any messages?
> 
> I usually run an xterm with the -C option to transfer the console to one
> of my X windows when I start X.  Yes, xconsole is another tool you can use.
> 
> > So I turned on kernel message logging to the console via the rsyslog.conf
> file.
> > When I try to nfs mount to this machine, though, it times out unless I 
> > stop the iptables service.  When iptables is on I don't get any messages on
> the
> > 
> > console window, so I can't see the reason for the denial.  hmmph.
> 
> I don't know what level of message you are looking for, but you might
> try playing with your rsyslog.conf to log more messages to the console.
> By default, only critical or emergency messages go to the console,
> everything else goes to the log file only, or is suppressed unless you
> configure it.  You'll have to check your configuration file to be sure.
> In general, I'm disappointed at what actually gets logged sometimes.  I
> have programs die with no visible errors and nothing in my logs.  Kinda
> makes it a guessing game as to what went wrong.  OTOH, my logs are also
> full of useful information from other sources.
> 
> -- 
> Kevin J. Cummings
> kjchome@xxxxxxx
> cummings@xxxxxxxxxxxxxxxxxx
> cummings@xxxxxxxxxxxxxxxxxxxxxxx
> Registered Linux User #1232 (http://counter.li.org)
> 
> -- 
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> 

My VC1 only shows a login prompt.  No additional messages were shown there.

I did, however, get messages on the xconsole window.

I modified my rsyslog.conf a'la 
http://www.iptablesrocks.org/guide/preparation.php
except that I left the default configuration's choice to output to
/dev/console:

-------
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.debug;kern.info                                    /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


----

I restarted both rsyslogd and iptables, hoping that I would see messages
reflecting the apparent connection denials stemming from my system-generated
config:

-----------------
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2049 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

-----------

I still haven't got my brain around the whole iptables configuration, but right
off I notice that there are no directives to actually log anything.  Being a
rookie, I like to keep things as stock as possible (so as not to blow up the
GUI config program), so where would you put the LOG directive in this setup?

Regards,

--bobcat


      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux