Firewall

ID #1061

Howto interpret firewall messages in your system log

How to interpret a message from the firewall in your logs:


Feb 23 07:37:01 - kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633 100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254


There is a LOT of information in this just one line. Let break out this example so refer back to the original firewall hit as you read this.

    * This firewall "hit" occurred on: "Feb 23 07:37:01"
* This hit occurred on the "IP" or TCP/IP protocol
* This hit came IN to ("fw-in") the firewall
* Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD
* This hit was then "rejECTED".
* Other logs can say "deny" or "accept"
* This firewall hit was on the "eth0" interface (Internet link)
* This hit was a "TCP" packet
* This hit came from IP address "12.75.147.174" on return port "1633".
* This hit was addressed to "100.200.0.212" to port "23" or TELNET.
* If you don't know that port 23 is for TELNET, look at your /etc/services file to see what other
ports are used for.

* This packet was "44" bytes long (L=44)
* This packet did NOT have any "Type of Service" (TOS) set
--Don't worry if you don't understand this; not required to know
* divide this by 4 to get the Type of Service for ipchains users
* This packet had the "IP ID" number of "54054"
--Don't worry if you don't understand this; not required to know

* This packet had a 16bit fragment offset including any TCP/IP packet
flags of "0x0040"
--Don't worry if you don't understand this; not required to know
* A value that started with "0x2..." or "0x3..." means the "More Fragments" bit was set
so more fragmented packet will be coming in to complete this one BIG packet.
* A value which started with "0x4..." or "0x5..." means that the "Don't Fragment" bit is set.
* Any other values is the Fragment offset (divided by 8) to be later used to recombine
 into the original LARGE packet

* This packet had a TimeToLive (TTL) of 254.
* Every hop over the Internet will subtract (1) from this number. Usually, packets will
start with a number of (255) and if that number ever reaches (0), it means that realistically
 the packet was lost and will be deleted.

Last update: 2004-12-01 20:48
Author: Dingetje
Revision: 1.0

Print this record Print this record
Send to a friend Send to a friend
Show this as PDF file Show this as PDF file
Export as XML-File Export as XML-File

Please rate this entry:

Average rating: 3 from 5 (3 Votes )

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry