INDEX   TOC
Introduction
Product Overview
Settings and Administration
  Installation
  Configuration
  LAN Overview
  Administrate Users
  Upgrade Firmware
ADSL
SIP Support
Security
Firewall Administration
Troubleshooting

Interpret Security Log

The security log enables you to inspect the traffic which have been handled by the firewall. It shows the most important attributes for each packet and the action taken by the firewall for that packet.

Different information is given depending on the packet type, but some attributes are always logged; time when the packet was seen, interface the packet was seen on, direction of the packet, the packet's size in bytes and the protocol type.

In most cases the following is also logged; source and destination address.

Finally the action taken is logged, specified as a main action; accept, deny, drop or error followed by a more specific reason, e.g. "deny default rule".

This action is also broken down, showing in detail what decisions that were taken by the firewall. This includes which supervisor rule, flow (if any) and user rule (if any) that were matched. For each rule or flow information about the associated action or state is also logged.

Example - TCP connection establishment:

1) 0d 22:28:14:et2i 192.168.0.2 > 1.2.3.4 (44) tcp: S 3263 > 80 (0) - ACCEPT rule - s(0)accept u(2)accept

This packet was received on et2 (the "i" after the names stands for "incoming") and is an IP packet from 192.168.0.2 to 1.2.3.4 with a length of 44 bytes. The IP packet contains a TCP SYN-segment (the "S" after "tcp:" is the SYN TCP-flag) from port 3263 to port 80 with a payload size of 0 bytes. The final action for the packet was an "ACCEPT rule" which means that a firewall rule was what made the firewall accept the packet.

2) 0d 22:28:14:et1o 192.168.0.2 > 1.2.3.4 (44) tcp: S 3263 > 80 (0) - ACCEPT rule - u(1)modify f(c94954)init/syn-rcvd s(0)accept - MODIFY saddr 192.168.5.66 sport 60001

The first log entry (1) is immediately followed by the same packet, but this time it is transmitted on another interface ("et1", "o" as in "outgoing"). Furthermore it is MODIFY:ed (NAT:ed) so that the source address of the packet is that of the īs external IP address and the source port is taken from the "NAT pool".

3) 0d 22:28:14:et1i 1.2.3.4 > 192.168.5.66 (44) tcp: AS 80 > 60001 (0) - ACCEPT flow - s(1)accept f(c949a4)wait-syn-ack/syn-ack-rcvd - MODIFY daddr 192.168.0.2 dport 3263

This packet is the response to that in (1) and (2). Now both the S (SYN) and A (ACK) TCP-flags are set. It first matches supervisor rule 1 and then flow c949a4 which makes the final decision for the packet, resulting in a "ACCEPT flow" final action.

4) 0d 22:28:14:et2o 1.2.3.4 > 192.168.0.2 (44) tcp: AS 80 > 3263 (0) - ACCEPT rule - u(0)accept s(0)accept

This is the same packet as in (3) but forwarded to the et2 interface.

5) 0d 22:28:14:et2i 192.168.0.2 > 1.2.3.4 (40) tcp: A 3263 > 80 (0) - ACCEPT rule - s(0)accept u(2)accept

This packet is the last in the TCP "3-way handshake" which completes the connection establishment. Now only the A (ACK) TCP-flag is set.

6) 0d 22:28:14:et1o 192.168.0.2 > 1.2.3.4 (40) tcp: A 3263 > 80 (0) - ACCEPT rule - f(c94954)wait-ack/open s(0)accept - MODIFY saddr 192.168.5.66 sport 60001

This is the same packet as in (5), but forwarded to the et1 interface. It matches the same flow as the packet in (2) and the flow's state changes to "open".

General log entry format

Each log entry follows the same format ('' denotes variables, [] optional information {|} "selective" information, i.e. "one of".):

'time' : 'interface''dir' 'proto info' - 'action' [ - 'match info'] [ - 'sub action']

Overview of log entry components
'time' The time when the packet was logged expressed in days, hours, minutes and seconds after power on (uptime), e.g. "01d 12:34:56"
'interface' The name of the interface the packet was seen on, e.g. "et1"
'dir' Direction of the packet; i = incoming, o = outgoing, e.g "line i ".
'proto info' Protocol information - see table below.
'action' Final action taken by the firewall for the packet. Composed of a general action and, in some cases, a specific reason for why the action was taken, e.g. "DENY default rule".
'match info' (optional) What objects (rule, flow) in the firewall matched the packet? See below for more information.
'sub action' (optional) Any supplementary action taken for the packet. Sub action arguments are also logged, e.g. "MODIFY saddr 1.2.3.4" for (source) NAT:ed packets.

Protocol information format

IP packets:

'src ip addr' > 'dst ip addr' [#'id'] ('length'['more frags'@'offset']) 'proto': 'proto info'

Protocol information - IP
'src ip addr' Source IP address of packet, e.g. 192.168.0.2.
'dst ip addr' Destination IP address of packet.
'id' (optional; fragments only) IP datagram identification number (decimal), e.g. 34523.
'length' (non fragments) IP packet length (decimal). And offset (both decimal), e.g. 150 or 540-@1460
'more frags'@'offset' (fragments) Fragment information; 'more frags' indicates whether this is the last fragment ("-") or not ("+").
'proto' Procol type. Expressed as number (decimal) or name (for common protocols), e.g. 103 or "udp"
'proto info' Varies with protocol - see below.

ICMP packets:

'type'/'code' 'type name'

TCP segments:

'tcp flags' 'src port' > 'dst port' ('tcp length')

UDP datagrams:

'src port' > 'dst port' ('udp length')

Most other protocols are just logged as "(unhandled)"

Protocol information - TCP/UDP
'tcp flags' (TCP only) TCP flags; U = URG (urgent), A = ACK (acknowledge), P = PSH (push), R = RST (reset), S = SYN (synchronize), F = FIN ("finish"), e.g. "SA"
'sport' Source port (decimal), e.g. "2765".
'dport' Destination port (decimal), e.g. "80".
'tcp length', 'udp length' Length of payload (decimal), .e.g. "700".

ARP packets:

'arp op' 'src ip addr' 'dst ip addr'

Ethernet frames (undecoded):

'src ether addr' > 'dst ether addr' ('length') 'type'

Protocol information - Ethernet
'src ether addr' Source address (colon separated hexadecimal format)
'dst ether addr' Destination address.
'length' Length of frame (decimal).
'type' Type field (hexadecimal).

Matching information format

Describes what objects, i.e. which rule (through its filter specification) or flow (through its attributes), that matched the packet. (See firewall rule syntax for more information about rules and flows.)

Incoming packets:

s('super rule id')'action' {f('flow id')'old state'/'new state' | u('user rule id')'action'}

Outgoing packets:

{f('flow id')'old state'/'new state' | u('user rule id')'action'} s('super rule id')'action'

Match information
'super rule id' Supervisor rule id (decimal). Indicates which rule (0..n) that matched the packet. -1 indicates the "default rule", i.e. no rule matched.
'user rule id' (optional; only if no flow matched.) User rule id (decimal).
'action' The rule's associated action.
'flow id' (optional; only if a matching flow existed.) Flow id (hexadecimal). Indicates which flow that matched the packet.
'old state' Previous flow state (before the packet was inspected).
'new state' New flow state (after the packet was inspected).

Related Topics:

Activate Security Log
Change Security Log Level