[ILUG] Firewall - how to read log?

[Dermot Hanley]

Hi,

> ok, so I'm playing around with firewalling. I've found plenty of docs for
> it, so I'm almost sure I'll get that firewall running at some stage...
> However, up until now I haven't found any doc explaining how to read the
> entries in /var/log/messages that the logging/accounting rules make.
> Let's take for example this one:
>
> Jan 17 02:10:43 esme kernel: IP fw-in rej ppp0 UDP
> 205.188.153.100:4000 DYN_IP_ADDR:61001 L=38 S=0x00 I=60994 F=0x0040 T=237
>
> Now, how do I interpret that? Is this interpretation correct:

rejected inbound UDP packet on interface ppp0 from 205.188.153.100 with a
source port of 4000 going to port 61001 of DYN_IP_ADDR, okay that's straight
forward enough, now the rest...

L=38 : the packet was of total length 38 bytes
S=0x00 : this is the type of service (TOS), in this case it's of routine
precedence, with normal delay, normal throughput, and normal reliability.
I=60994 : this is ID of the datagram to which this fragment belongs.
F=0x0040 : this indicates where in the datagram this fragment belongs, this
fragment lies 64 units (512 bytes) into the datagram.
T=237 : this is time to live (TTL) which is the maximum time the packet is
allowed to remain in the internet system, in this case it's 237 seconds
(after which is should be destroyed/dropped).

I hope this helps, though I suggest reading up on TCP, UDP, and IP paying
particular attention to the header fields of each.

Regards,
Dermot
--
Dermot Hanley, Systems & Network Administrator
The Irish Times New Media Division - http://www.ireland.com/