Firewall Log Messages What Do They Mean

To generate firewall logs, the kernel must be compiled with firewall logging enabled. By default, individually matched packets are logged as kern.warn (priority 4) messages. The log priority can be changed with the --log-level option to -j LOG. Most of the IP packet header fields are reported when a packet matches a rule with the LOG target. Firewall log messages are written to /var/log/messages by default.

You could duplicate the firewall log messages to a different file by creating a new log file and adding a line to /etc/syslog.conf■

kern.warn /var/log/fwlog

As a TCP example, this rule denying access to the portmap/sunrpc TCP port 111 would produce the following message in /var/log/messages^

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \

--dport 111 -j LOG --log-prefix "DROP portmap: "

iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ --dport 111 -j DROP

Jun 19 15:24:16 firewall kernel: DROP portmap: IN=eth0 OUT=

SRC=192.168.1.4 DST=192.168.1.2 LEN=60

TOS=0x00 PREC=0x0 0 TTL=64 ID=57743 DF

PROTO=TCP SPT=33 92 6 DPT=111 WINDOW=584Q

This document is created with trial version of CHM2PDF Pilot 2.15.72. The log message fields are numbered for the purposes of discussion:

• Field 2 is the time the log was written, 15:24:16.

• Field 3 is the computer's hostname, firewall.

• Field 4 is the log facility generating the message, kernel.

• Field 5 is the log-pre fix str ng defined in the LOG rule.

• Field 6 is the incoming network interface that the input rule is attached to, eth0.

• Field 7 is the outgoing interface, which has no value in a rule on the INPUT chain.

• Field 8 is the MAC address of the interface that the packet is arriving on, followed by eight pairs of garbage hexadecimal digits.

• Field 9 is the packet's source address, 192.168.1.4-

• Field 10 is the packet's destination address, 192.168.1.2.

• Field 11 is the IP packet's total length in bytes, LEN=60, including both the packet header and its data.

• Field 12 is the type of service (TOS) field's 3 service bits, plus a reserved trailing bit, T0S=0x00.

• Field 13 is the TOS field's top 3 precedence bits, prec=0x00.

• Field 14 is the packet's time to live (TTL) field, TTL=64. Time to live is the maximum number of hops (that is, routers visited) remaining before the packet expires.

• Field 15 is the packet's datagram ID, ID=57743. The datagram ID is either the packet ID or the segment to which this TCP fragment belongs.

• Field 16 is the fragment flags field, indicating that the Don't Fragment (DF) bit is set.

• Field 17 is the message protocol type contained in the packet, PR0T0=TCP. Field values include 6 (TCP), 17 (UDP), 1 (icMP/<code>), and pR0T0=<number> for other protocol types.

• Field 18 is the packet's source port, 33926.

• Field 19 is the packet's destination port, 111.

• Field 20 is the sender's window size, wIND0w=5840, which indicates the amount of data that it is willing to accept and buffer from this host at this time.

• Field 21 reports the reserved field in the TCP header. All 4 bits must be 0.

• Field 22 is the TCP state field. In this case, the SYN flag is set.

• Field 23 is the urgent pointer, which indicates the amount of data considered to be urgent. The field is c because the URG flag isn't set.

When interpreting the log message, the most interesting fields are these:

Jun 19 15:24:16 DROP portmap: IN=eth0 SRC = 192.168 . 1. 4 DST = 192.168.1. 2 PR0T0=TCP SPT=33 92 6 DPT=111 SYN

This says that the dropped packet is a TCP packet coming in on the eth0 interface from an unprivileged port at

(192.168.1.2) port 111, the sunrpc/portmap port. (This can be a common message because portmap historically is one of the most commonly targeted services.) As a UDP example, this rule denying access to the portmap/sunrpc UDP port 111 would produce the following message in /var/log/messages■

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \

--dport 111 -j LOG --log-prefix "DROP portmap: "

iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ --dport 111 -j DROP

Jun 19 15:24:16 firewall kernel: DROP portmap: IN=eth0 OUT=

SRC=192.168.1.4 DST=192.168.1.2 LEN=28

TOS=0x00 PREC=0x00 TTL=40 ID=50655

PROTO=UDP SPT=3 3 92 6 DPT=111 LEN=8

The log message fields are numbered for the purposes of discussion:

• Field 2 is the time the log was written, 15:24:16.

• Field 3 is the computer's hostname, firewall.

• Field 4 is the log facility generating the message, kernel.

• Field 5 is the log-pre fix string defined in the LOG rule.

• Field 6 is the incoming network interface to which the input rule is attached, eth0.

• Field 7 is the outgoing interface, which has no value in a rule on the INPUT chain.

• Field 8 is the MAC address of the interface that the packet is arriving on, followed by eight pairs of garbage hexadecimal digits.

• Field 9 is the packet's source address, 192.168.1.4.

• Field 10 is the packet's destination address, 192.168.1.2.

• Field 11 is the IP packet's total length in bytes, LEN=28, including both the packet header and its data.

• Field 12 is the TOS field's 3 service bits, plus a reserved trailing bit, TOS=0x00.

• Field 13 is the TOS field's top 3 precedence bits, prec=0x00.

• Field 14 is the packet's TTL field, TTL=40. Time to live is the maximum number of hops (that is, routers visited) remaining before the packet expires.

• Field 15 is the packet's datagram ID, ID=50655.

• Field 16 is the message protocol type contained in the packet, PROTO=UDP. Field values include 6 (TCP), 17 (UDP), 1 (icMP/<code>), and pROTo=<number> for other protocol types.

• Field 18 is the packet's destination port, m.

• Field 19 is length of the UDP packet, including both the header and data, LEN=8.

When interpreting the log message, the most interesting fields are these:

Jun 19 15:24:16 DROP portmap: IN=eth0 SRC = 192.168 . 1. 4 DST = 192.168.1. 2 PROTO=UDP SPT = 3 3 92 6 DPT = 111

This says that the dropped packet is a UDP packet coming in on the eth0 interface from an unprivileged port at 192.168.1.4. It was a UDP exchange targeted to this machine's (192.168.1.2) port 111, the sunrpc/portmap port. (This can be a common message because portmap historically is one of the most commonly targeted services.)

4 PREV

PREV NEXT

+1 0

Responses

  • donald
    What do linux firewall policies mean?
    8 months ago
  • ABEL
    What is unprivaliged udp packet log?
    4 months ago

Post a comment