Gentoo Archives: gentoo-user

From: David Haller <gentoo@×××××××.de>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Rationalizing log files
Date: Fri, 14 May 2021 23:58:18
Message-Id: 20210514234026.44vmh6ikbaumtuda@grusum.endjinn.de
In Reply to: [gentoo-user] Rationalizing log files by Walter Dnes
1 Hello,
2
3 On Thu, 13 May 2021, Walter Dnes wrote:
4 [..]
5 > And maybe either stop logging Facebook, or else log iptables messages
6 >to a separate file (how is that done?). The Facebook tracker messages
7 >are generated by iptables rules...
8 >
9 >-A INPUT -s 31.13.24.0/21 -j FECESBOOK
10 >-A INPUT -s 31.13.64.0/18 -j FECESBOOK
11 [..]
12 >-A OUTPUT -d 31.13.24.0/21 -j FECESBOOK
13 >-A OUTPUT -d 31.13.64.0/18 -j FECESBOOK
14
15 FWIW:
16
17 For one: why not filter the iptables messages into a seperate logfile?
18
19 E.g. for syslog-ng (you'll need to add the filter to other
20 filters/log, having them in the filters you can use those
21 more intuitively):
22
23 ====
24 filter f_iptables { facility(kern) and message("IN=") and message("OUT="); };
25 filter f_console { ... and not filter(f_iptables); }
26 filter f_messages { ... and not filter(f_iptables); };
27 filter f_warn { ... and not filter(f_iptables); };
28 [..]
29 log { source(src); source(chroots); filter(f_messages); destination(messages); };
30
31 # Firewall (iptables) messages in one file:
32 destination firewall { file("/var/log/firewall" suppress(30)); };
33 log { source(src); source(chroots); filter(f_iptables); destination(firewall); };
34 ====
35
36 You might be logging more specifically, so you could add more specific
37 filters. That's what those filters (and log-prefixes in iptables) are
38 for after all :)
39
40 Also add a matching logrotate entry:
41
42 ====
43 /var/log/firewall {
44 delaycompress
45 missingok
46 notifempty
47 size +4096k
48 sharedscripts
49 postrotate
50 /etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
51 endscript
52 }
53 ====
54
55 or some such as /etc/logrotate.d/firewall (or however you name you
56 iptables-logfile.
57
58 And second, how about setting up a local dnsmasq to send all fb-crap
59 to NXDOMAIN on the DNS-level?
60
61 ==== dnsmasq.conf or e.g. /etc/dnsmasq.d/blocklist.conf [1] ====
62 address=/fb.com/
63 address=/fb.me/
64 address=/facebook.net/
65 address=/facebook.de/
66 address=/facebook.fr/
67 address=/facebook.co.uk/
68 address=/facebook.com/
69 address=/fbcdn.net/
70 address=/instagram.com/
71 address=/instagram.de/
72 address=/whatsapp.de/
73 address=/whatsapp.com/
74 address=/whatsapp.net/
75 ====
76
77 That has the effect that all (sub-)domains with those names give
78 NXDOMAIN, i.e. are non-existant. Compare to:
79
80 $ nslookup there.is.no.such.domain.invalid
81
82 Depending on what sites you visit, you might add more domains like
83 e.g. facebook.ca, facebook.mx, facebook.es or whatever fb-domains
84 sites that you visit include...
85
86 Just as ideas,
87 -dnh
88
89 [1] you'll need a matching conf-dir or conf-file directive, preferably
90 at the end of the main /etc/dnsmasq.conf then, I use:
91 ====
92 conf-dir=/etc/dnsmasq.d,*.conf
93 ====
94 which includes all *.conf files from /etc/dnsmasq.d/ (and ignores
95 other files there like *.conf~ or Makefile or whatnot, so you can
96 be creative and e.g. generate your blocklist from a simple list of
97 domains ;) E.g.:
98 ==== /etc/dnsmasq.d/Makefile
99 all: blocklist.conf
100 blocklist.conf: blocklist.conf.in
101 sort -u $< | sed 's@\(.*\)@address=/&/@' > $@
102 ====
103
104 You get the ideas ;) (and if not: ask!)
105
106 --
107 Of course. Anything with more than 2 buttons is too complex. This includes
108 things with 2 or less buttons. This may include clothing. -- Satya