[KLUG Members] Shorewall.log file analysis help
Bob Kanaley
members@kalamazoolinux.org
Fri, 22 Aug 2003 14:27:04 -0500
Firewall Pro's,
I just plugged a "small business" broadband cable Internet modem into my
network Wednesday afternoon. For the firewall I put together an LRP/LEAF
Bering 1.2 Shorewall 1.4 firewall ala two interfaces with dnscache, and
weblet on an old 333MHz Celeron with 48MB ram.
Thursday morning I connected to the firewall administrative weblet for the
first time.
I was greeted with the following firewall warning message:
Thu Aug 21 10:59:57 UTC 2003 firewall Firewall Status:warn. You have 23
denied or rejected packets in your recent packet logs.
I clicked on Shorewall.log for details and found rather some rather cryptic
messages.
I can pretty much read the log file entries, but since I am not well
schooled on interpreting the fields in TCP/IP packets and I couldn't find
any immediate references to the labels used in the log file entries, I could
use a little help interpreting the fields and their relative significance.
If one of you Shorewall experts could help me understand a couple of these
entries and give me a few clues on things to watch for, I think I can handle
it from there.
Take for example the first log file entry under messages concerning the
firewall. It appears to simply be a packet that was dropped because someone
was probing the firewall for the existence of an ftp server that could be
exploited. But, I don't understand the meaning or significance of several
fields, so I don't know if I need to pay any attention to them now or for
other situations. If you could enlighten me I would greatly appreciate it.
::messages concerning the firewall::
Aug 21 06:50:01 firewall Shorewall:net2all:DROP: IN=eth0 OUT=
MAC=00:01:02:70:3e:0e:00:50:57:00:f3:25:08:00 SRC=203.121.145.128
DST=12.249.253.250 LEN=60 TOS=00 PREC=0x00 TTL=43 ID=28287 DF PROTO=TCP
SPT=37249 DPT=21 SEQ=1649670468 ACK=0 WINDOW=5840 SYN URGP=0
As best I can tell, this entry appears to break down something like the
following:
Aug 21 06:50:01 The time of log file entry
firewall The name of firewall computer
Shorewall:net2all:DROP: Firewall program name:chain name:action taken
IN=eth0 The packet came in to the firewall from eth0
OUT= MAC=00:01:02:70:3e:0e:00:50:57:00:f3:25:08:00 The MAC address packet
destination
SRC=203.121.145.128 The IP address of the packet source host
DST=12.249.253.250 The IP address of the packet destination (eth0)
LEN=60 The length of this IP packet in bytes?
TOS=00 ?
PREC=0x00 ?
TTL=43 Time To Live=43 router hops, then send a packet dropped message back
to the source IP
ID=28287 ID number of this particular packet?
DF PROTO=TCP Default Protocol=Transmission Control Protocol?
SPT=37249 Source Port number randomly chosen by sender
DPT=21 Destination Port number used by ftp listening daemon
SEQ=1649670468 Random number generated by sending host then incremented
each packet
ACK=0 Acknowledge flag not set, so probably first packet sent
WINDOW=5840 ?
SYN URGP=0 Syn flag modifier?
TIA.
Bob
Robert V. Kanaley
Manager Information Systems
Agdia, Inc.
rvk@agdia.com
http://www.agdia.com