# Shorewall & syslog-ng :Disable logging for specific port

## trumee

Hi,

   I am getting a lot of hits from computers originating from source port 137. I guess this is some sort of windows thing. Because of this my log file is collecting a lot of junk, an excerpt is like below:

```

Jun  3 12:01:12 sim Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:18:14:d3:5f:e3:00:50:fa:34:27:30:18:00 SRC=131.100.120.177 DST=131.100.120.166 LEN=90 TOS=0x00 PREC=0x00 TTL=128 ID=35411 PROTO=UDP SPT=137 DPT=32973 LEN=70

```

Relevant portion of my syslog-ng.conf is :

```

                                                                 };

# Log Shorewall messages into seperate file

 source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

  source kernsrc { file("/proc/kmsg"); };

destination d_shorewall_warn

{

  file ("/var/log/shorewall/warn.log"

        owner(mb)

        group(root)

  );

};

destination d_shorewall_info

{

  file ("/var/log/shorewall/info.log"

        owner(mb)

        group(root)

  );

};

filter f_shorewall_warn

{

  level (warn) and match ("Shorewall");

};

filter f_shorewall_info

{

  level (info) and match ("Shorewall");

};

log

{

  source (src);

  filter (f_shorewall_warn);

  destination (d_shorewall_warn);

  flags(final);

};

log

{

  source (src);

  filter (f_shorewall_info);

  destination (d_shorewall_info);

  flags(final);

};

```

How can i disable logging of connects originating from port 137? Does dropping packets like above reduce my samba functionality?

Thanks

----------

## primero.gentoo

I think you have to disable logging in Shorewall and not in Syslog.

What version of shorewall are you using?

if i remember well you specify what to log in this way

```

IN RULES

.....

ACTION:LOG-LEVEL     SOURCE     DST     SRCPORT   DSTPORT ....

.....

And in Policy

ACTION     SRC-ZONE    DST-ZONE      LOG-LEVEL

```

From your output seems that the packet is matche by the "net2all" policy configuration that have a Log-Enabled by default.

So you could try to match all 137 related traffic with a specific rule in your rules file, deny or accept it, and specify no log level. this way you should solve you problem.

Bye

----------

## trumee

Thanks for your response. I am not sure how to disable logging for a specific port. Can you please suggest me what modification should i make?

Here are my files:

/etc/shorewall/rules

```

#ALLOW STANDARD SERVICES INTO THE BOX

ACCEPT          net     fw      icmp    8

ACCEPT          net     fw      tcp     ssh

ACCEPT          net     fw      tcp     10000 #Webmin

ACCEPT          net     fw      tcp     http

ACCEPT          net     fw      tcp     ftp

ACCEPT          fw      net     udp    53     # DNS

ACCEPT          fw      net     tcp    53     # DNS

# The next 4 lines open the box for share browsing, authentication

# and other MS stuff.

# Some of these may not be necessary but the example system is on a

# secure and "friendly" internal network where exploit concerns are low.

ACCEPT          net      fw     tcp    137,138,139,445

ACCEPT          net      fw     udp    137,138,139,445

ACCEPT          fw       net    tcp    137,138,139,445

ACCEPT          fw       net    udp    137,138,139,445

#ACCESS TO WINS SERVER

ACCEPT          fw       net    tcp    1512

ACCEPT          fw       net    udp    1512

#ENABLE GNOMEMEETING

ACCEPT          net      fw     tcp    1720

ACCEPT            net      fw     tcp    30000:30010

ACCEPT            net      fw     udp    5000:5003

#Bittorrent

ACCEPT          net     fw      tcp    6969

ACCEPT          net     fw      tcp    6881:6889

```

/etc/shorewall/policy

```

fw              net             ACCEPT

net             all             DROP            info

# The FOLLOWING POLICY MUST BE LAST

all             all             REJECT          info

```

----------

## mach.82

In your /etc/shorewall/rules file, try:

```
DROP net all udp 137
```

----------

