![]() INDEX TOC |
|
![]() |
Interpret Security Log The security log enables you to inspect the traffic which have been handled by the firewall. It shows the most important attributes for each packet and the action taken by the firewall for that packet. Different information is given depending on the packet type, but some attributes are always logged; time when the packet was seen, interface the packet was seen on, direction of the packet, the packet's size in bytes and the protocol type. In most cases the following is also logged; source and destination address. Finally the action taken is logged, specified as a main action; accept, deny, drop or error followed by a more specific reason, e.g. "deny default rule". This action is also broken down, showing in detail what decisions that were taken by the firewall. This includes which supervisor rule, flow (if any) and user rule (if any) that were matched. For each rule or flow information about the associated action or state is also logged. Example - TCP connection establishment: 1) 0d 22:28:14:et2i 192.168.0.2 > 1.2.3.4 (44) tcp: S 3263 > 80 (0) - ACCEPT rule - s(0)accept u(2)accept This packet was received on et2 (the "i" after the names stands for "incoming") and is an IP packet from 192.168.0.2 to 1.2.3.4 with a length of 44 bytes. The IP packet contains a TCP SYN-segment (the "S" after "tcp:" is the SYN TCP-flag) from port 3263 to port 80 with a payload size of 0 bytes. The final action for the packet was an "ACCEPT rule" which means that a firewall rule was what made the firewall accept the packet. 2) 0d 22:28:14:et1o 192.168.0.2 > 1.2.3.4 (44) tcp: S 3263 > 80 (0) - ACCEPT rule - u(1)modify f(c94954)init/syn-rcvd s(0)accept - MODIFY saddr 192.168.5.66 sport 60001 The first log entry (1) is immediately followed by the same packet, but this time it is transmitted on another interface ("et1", "o" as in "outgoing"). Furthermore it is MODIFY:ed (NAT:ed) so that the source address of the packet is that of the īs external IP address and the source port is taken from the "NAT pool". 3) 0d 22:28:14:et1i 1.2.3.4 > 192.168.5.66 (44) tcp: AS 80 > 60001 (0) - ACCEPT flow - s(1)accept f(c949a4)wait-syn-ack/syn-ack-rcvd - MODIFY daddr 192.168.0.2 dport 3263 This packet is the response to that in (1) and (2). Now both the S (SYN) and A (ACK) TCP-flags are set. It first matches supervisor rule 1 and then flow c949a4 which makes the final decision for the packet, resulting in a "ACCEPT flow" final action. 4) 0d 22:28:14:et2o 1.2.3.4 > 192.168.0.2 (44) tcp: AS 80 > 3263 (0) - ACCEPT rule - u(0)accept s(0)accept This is the same packet as in (3) but forwarded to the et2 interface. 5) 0d 22:28:14:et2i 192.168.0.2 > 1.2.3.4 (40) tcp: A 3263 > 80 (0) - ACCEPT rule - s(0)accept u(2)accept This packet is the last in the TCP "3-way handshake" which completes the connection establishment. Now only the A (ACK) TCP-flag is set. 6) 0d 22:28:14:et1o 192.168.0.2 > 1.2.3.4 (40) tcp: A 3263 > 80 (0) - ACCEPT rule - f(c94954)wait-ack/open s(0)accept - MODIFY saddr 192.168.5.66 sport 60001 This is the same packet as in (5), but forwarded to the et1 interface. It matches the same flow as the packet in (2) and the flow's state changes to "open". General log entry format Each log entry follows the same format ('' denotes variables, [] optional information {|} "selective" information, i.e. "one of".): 'time' : 'interface''dir' 'proto info' - 'action' [ - 'match info'] [ - 'sub action']
Protocol information format IP packets: 'src ip addr' > 'dst ip addr' [#'id'] ('length'['more frags'@'offset']) 'proto': 'proto info'
ICMP packets: 'type'/'code' 'type name' TCP segments: 'tcp flags' 'src port' > 'dst port' ('tcp length') UDP datagrams: 'src port' > 'dst port' ('udp length') Most other protocols are just logged as "(unhandled)"
ARP packets: 'arp op' 'src ip addr' 'dst ip addr' Ethernet frames (undecoded): 'src ether addr' > 'dst ether addr' ('length') 'type'
Matching information format Describes what objects, i.e. which rule (through its filter specification) or flow (through its attributes), that matched the packet. (See firewall rule syntax for more information about rules and flows.) Incoming packets: s('super rule id')'action' {f('flow id')'old state'/'new state' | u('user rule id')'action'} Outgoing packets: {f('flow id')'old state'/'new state' | u('user rule id')'action'} s('super rule id')'action'
Related Topics: |