[buug] Reading ipchains logs
Bill Honeycutt
wfhoney at pacbell.net
Wed Jul 23 17:40:55 PDT 2003
Thanks, Rick! Good information here.
> #58: Rule number that generated this log entry.
This was key to my understanding...in this firewall, rule #50 is the
'catch-all' rule that rejects all packets which don't fit any other rule
:-)
Rick Moen wrote:
> Quoting Bill Honeycutt (wfhoney at pacbell.net):
>
>
>>These entries popped up in /var/log/messages today.
>>
>>------------- start of log snippet -------------
>>Jul 7 02:51:01 radhost kernel: Packet log: input REJECT eth0 PROTO=6
>>211.167.233.24:4080 10.1.0.2:80 L=48 S=0x00 I=11967 F=0x4000 T=113 SYN
>>(#58)
>>Jul 7 02:51:08 radhost kernel: Packet log: input REJECT eth0 PROTO=6
>>211.167.233.24:4080 10.1.0.2:80 L=48 S=0x00 I=12550 F=0x4000 T=113 SYN
>>(#58)
>>------------- end of log snippet -------------
>>
>>It begged the question, "What is 'I=11967 F=0x4000 T=113'?"
>>
>>Any suggestions on where to find ipchains log information would be
>>appreciated.
>
>
>
> input: Name of the chian containing the rule that matched this packet.
> REJECT: What that rule said to do.
> eth0: Interface name.
> PROTO: protocol family per /etc/protocol. In this case, TCP.
> 211.167.233.24: Source IP.
> 4080: Source port.
> 10.1.0.2: Destination IP.
> 80: Destination port.
> L: Packet length in bytes. In this case, 48 bytes.
> S: Type of service x 4. In this case, service 0.
> I: IP ID. In this case, 11967. Basically just sequence #, I think.
> F: Fragment offset. The 0x4 prefix means "Don't fragment" (as would 0x5).
> T: Time to love
> SYN: Flag value.
> #58: Rule number that generated this log entry.
>
> Oh, just found this handy quick reference:
> http://logi.cc/linux/ipchains-log-format.html
>
More information about the buug
mailing list