[Techtalk] firewall log entry

[Chris Wilson]

Hi Nadine,

On Tue, 29 Sep 2009, Nadine Leenders wrote:

> I'm trying to decipher a firewall log entry (I've mangled hostname and  
> IP info a little for privacy):
[...]
> Sep 25 15:59:42 saturn kernel: SFW2-INext-ACC-TCP IN=eth0 OUT=  
> MAC=00:30:48:7f:6d:b6:00:30:48:7f:6d:60:08:00
> 
>      date, time, hostname, syslog level,

I think it's facility and not level (e.g. level would be warning, 
critical, etc.)

> My confusion thus far is trying to figure out what SFW2-INext-ACC-TCP  
> is (syslog level???).

I think it's the log prefix specified with the --prefix option to the LOG 
target in your ruleset, e.g.:

$ sudo iptables -A INPUT -j LOG --help
...
LOG v1.3.8 options:
 --log-level level              Level of logging (numeric or see 
syslog.conf)
 --log-prefix prefix            Prefix log messages with this prefix.

> And I haven't even started working on the last part since I've been busy 
> with the first part, so clues for that too would be most appreciated.  
> It also looks like I missed "DF" too.

DF is the Don't Fragment bit in the header, set to enable Path MTU 
Discovery (PMTUD).

> WINDOW=5792

TCP window size, I think.

> RES=0x00

Reserved bits (not expected to be set) from the TCP flags byte.

> SYN

TCP SYN flag set.

> URGP=0

Urgent data pointer, no urgent data in this case.

> OPT (020405B40402080A14D702E613603EDF01030306)

TCP options dumped as raw bytes (probably would take an arch-mage to 
decode this).

You can see the source for the module that writes this message at:

http://git.kernel.org/?p=linux/kernel/git/next/linux-next.git;a=blob;f=net/ipv4/netfilter/ipt_LOG.c;h=acc44c69eb68ffb972cedc569cf3222b5c92b255;hb=HEAD#l98

Cheers, Chris.
-- 
Aptivate | http://www.aptivate.org | Phone: +44 1223 760887
The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES

Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.