[KLUG Members] Shorewall.log file analysis help

Bob Kanaley members@kalamazoolinux.org
Fri, 22 Aug 2003 14:27:04 -0500

Previous message: [KLUG Members] Meeting 2003-08-26 - BIND (DNS) Shorts: DNSSEC & SDB
Next message: [KLUG Members] Shorewall.log file analysis help
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Firewall Pro's,

I just plugged a "small business" broadband cable Internet modem into my
network Wednesday afternoon. For the firewall I put together an LRP/LEAF
Bering 1.2 Shorewall 1.4 firewall ala two interfaces with dnscache, and
weblet on an old 333MHz Celeron with 48MB ram.

Thursday morning I connected to the firewall administrative weblet for the
first time.

I was greeted with the following firewall warning message:

Thu Aug 21 10:59:57 UTC 2003  firewall Firewall Status:warn. You have 23
denied or rejected packets in your recent packet logs.

I clicked on Shorewall.log for details and found rather some rather cryptic
messages.

I can pretty much read the log file entries, but since I am not well
schooled on interpreting the fields in TCP/IP packets and I couldn't find
any immediate references to the labels used in the log file entries, I could
use a little help interpreting the fields and their relative significance.

If one of you Shorewall experts could help me understand a couple of these
entries and give me a few clues on things to watch for, I think I can handle
it from there.

Take for example the first log file entry under messages concerning the
firewall. It appears to simply be a packet that was dropped because someone
was probing the firewall for the existence of an ftp server that could be
exploited. But, I don't understand the meaning or significance of several
fields, so I don't know if I need to pay any attention to them now or for
other situations. If you could enlighten me I would greatly appreciate it.

::messages concerning the firewall::
Aug 21 06:50:01 firewall Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:01:02:70:3e:0e:00:50:57:00:f3:25:08:00 SRC=203.121.145.128
DST=12.249.253.250 LEN=60 TOS=00 PREC=0x00 TTL=43 ID=28287 DF PROTO=TCP
SPT=37249 DPT=21 SEQ=1649670468 ACK=0 WINDOW=5840 SYN URGP=0

As best I can tell, this entry appears to break down something like the
following:

Aug 21 06:50:01 	The time of log file entry
firewall 	The name of firewall computer
Shorewall:net2all:DROP: 	Firewall program name:chain name:action taken
IN=eth0 	The packet came in to the firewall from eth0
OUT= MAC=00:01:02:70:3e:0e:00:50:57:00:f3:25:08:00	The MAC address packet
destination
SRC=203.121.145.128 	The IP address of the packet source host
DST=12.249.253.250 	The IP address of the packet destination (eth0)
LEN=60 	The length of this IP packet in bytes?
TOS=00 	?
PREC=0x00 	?
TTL=43 	Time To Live=43 router hops, then send a packet dropped message back
to the source IP
ID=28287 	ID number of this particular packet?
DF PROTO=TCP 	Default Protocol=Transmission Control Protocol?
SPT=37249 	Source Port number randomly chosen by sender
DPT=21 	Destination Port number used by ftp	listening daemon
SEQ=1649670468 	Random number generated by sending host then incremented
each packet
ACK=0 	Acknowledge flag not set, so probably first packet sent
WINDOW=5840 	?
SYN URGP=0	Syn flag modifier?

TIA.

Bob

Robert V. Kanaley
Manager Information Systems
Agdia, Inc.
rvk@agdia.com
http://www.agdia.com

Previous message: [KLUG Members] Meeting 2003-08-26 - BIND (DNS) Shorts: DNSSEC & SDB
Next message: [KLUG Members] Shorewall.log file analysis help
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]