[NBLUG/talk] SuSEFirewall2 How to read the log file?

ME dugan at passwall.com
Thu Jul 10 22:32:00 PDT 2003 

Micxz (lovedialup.com) said:
> Jul 10 21:27:40
date

> mars
host

> kernel:
logged from name

> SuSE-FW-DROP-DEFAULT
name of rule/group

> IN=ppp0
interface

> OUT=
not being routed, so no output interface.

> MAC=
Prob means from outside subnet so no MAC address included in log --
including it would mean the MAC of the subnet's gateway would be listed.
As a second guess, since the interface is ppp, the MAC is predictable as
being the other end and there is no point in stating it (misleading)

> SRC=200.52.172.13
Source IP address

> DST=66.xxx.xx.xx
Destination IP address (you have substituted "x" for ints)

> LEN=48
Length

> TOS=0x00
Type of service = 0 (decimal)
8 bit files. first 3 bits are reseverd for somethin g(dont remember) the
next one is set to 0, and the last 4 are available (this is part of an IP
packet):
8         Minimize delay for this packet
4         Maximize throughput for this packet
2         Maximize reliability for this packet
1         Minimize monetary costs
-----------------
Your value for TOS is zero so none of these were set.

> PREC=0x00
No precidentce since no TOS...

> TTL=110
effectively max hops through routers which would decrement this value by
one for each hop. when value drops to zero, a router can drop the packet
(used to eventually drop packets that may enter routing loops.)

> ID=9313
Some possible meanings for this:
ID is a combination of the SEQ # and ACK number, but for a SYN packet,
only the SEQ number is known as there is no ACK.

For fragmented IP, and ID to permit grouping of fragments of same original
packet.

Someone else might be able to verify this...

> DF
Please do not fragment

> PROTO=TCP
Layer 4 is TCP protocol

> SPT=2716
Source port

> DPT=2723
Destination Port

> WINDOW=16384
TCP windows size (TCP is a sliding window protocol. This specifies the
window size for packets that can be transmitted by source before it must
wait until the earliest packet in the order is acknowledged.)

> RES=0x00
No reserved bits.

> SYN
Syn flag set- starting a connection or trying to.

> URGP=0
Urgent Pointer not set or set to zero.

> OPT (0204056401010402)
These would be options included in the packet. Sorry, would need to look
this up to know it.


> OK, so I see it's via the protocol "TCP", the packet came from some
> computer in Guadalajara it looks form the whois output. The DST is my
> IP. The Time to Live is 110, the SYN being the synchronize flag bit set
> is initiating a connection from the sender to the recipient. But
>
> Can you guys help me is the way to read the rest of the info?
> And are there some theories on why random PC's are trying to connect to
> our linux boxes? (usually three packets at a time.)
>
> --
> Micxz
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/mailman/listinfo/talk
>
>

More information about the talk mailing list