[Techtalk] firewall log entry
Chris Wilson
chris+linuxchix at aptivate.org
Wed Sep 30 11:05:03 UTC 2009
Hi Nadine,
On Tue, 29 Sep 2009, Nadine Leenders wrote:
> I'm trying to decipher a firewall log entry (I've mangled hostname and
> IP info a little for privacy):
[...]
> Sep 25 15:59:42 saturn kernel: SFW2-INext-ACC-TCP IN=eth0 OUT=
> MAC=00:30:48:7f:6d:b6:00:30:48:7f:6d:60:08:00
>
> date, time, hostname, syslog level,
I think it's facility and not level (e.g. level would be warning,
critical, etc.)
> My confusion thus far is trying to figure out what SFW2-INext-ACC-TCP
> is (syslog level???).
I think it's the log prefix specified with the --prefix option to the LOG
target in your ruleset, e.g.:
$ sudo iptables -A INPUT -j LOG --help
...
LOG v1.3.8 options:
--log-level level Level of logging (numeric or see
syslog.conf)
--log-prefix prefix Prefix log messages with this prefix.
> And I haven't even started working on the last part since I've been busy
> with the first part, so clues for that too would be most appreciated.
> It also looks like I missed "DF" too.
DF is the Don't Fragment bit in the header, set to enable Path MTU
Discovery (PMTUD).
> WINDOW=5792
TCP window size, I think.
> RES=0x00
Reserved bits (not expected to be set) from the TCP flags byte.
> SYN
TCP SYN flag set.
> URGP=0
Urgent data pointer, no urgent data in this case.
> OPT (020405B40402080A14D702E613603EDF01030306)
TCP options dumped as raw bytes (probably would take an arch-mage to
decode this).
You can see the source for the module that writes this message at:
http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=blob;f=net/ipv4/netfilter/ipt_LOG.c;h=acc44c69eb68ffb972cedc569cf3222b5c92b255;hb=HEAD#l98
Cheers, Chris.
--
Aptivate | http://www.aptivate.org | Phone: +44 1223 760887
The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES
Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.
More information about the Techtalk
mailing list