The ASL firewall will log a lot of information about a firewall event. A typical log entry may look like this:
Mar 24 14:11:11 host kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=12197 CE DF MF PROTO=TCP SPT=3619 DPT=110 SEQ=1917628740 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Example Element | Explanation |
Mar 24 14:11:11 | Date/Time Stamp |
host | The Hostname of the system where this occurred (your server) |
kernel: | Application Name (firewall rules are always kernel:) |
DROP_ASL_INPUT | Firewall Rule Name |
IN=eth0 | Incoming Interface (This is only populated when the packet is coming into the server) |
OUT= | Outgoing Interface (This is only populated when the packet is going out of the server) |
MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 | The MAC Address of the last hop upstream hardware that send the packet (usually this will be your upstream router) |
SRC=1.2.3.4 | Source IP (The IP address for the system that sent this packet) |
DST=5.6.7.8 | Destination IP (The IP address the source system requested this packet be sent to) |
LEN=48 | Total length of IP packet in bytes |
TOS=0x00 | Type Of Service field. This is rarely used, and is replaced on most systems by DS and ECN. |
PREC=0x00 | The "Precedence" Type of Service field. This is rarely used, and is replaced on most systems by DS and ECN. |
TTL=115 | Remaining "Time To Live" for this packet in "hops" |
ID=12197 | Unique ID for this IP datagram. If this is a fragment, all fragments share the same ID. |
CE | ECN Flag, Congestion Experienced (optional) |
DF | Dont Fragment Flag (optional) |
MF | More Fragments to follow (optional) |
PROTO=TCP | Protocol (For example, TCP or UDP) |
SPT=3619 | Source Port (The port the packet came from) |
DPT=110 | Destination Port (The port the source IP requested the packet go to) |
SEQ=1917628740 | Receive Sequence number |
ACK=0 | Same as the Receive Sequence number above, but for the other end of the TCP connection. Normally only seen on the reply packet. |
WINDOW=65535 | The TCP Receive Window size. |
RES=0x00 | Reserved bits. This field is used, optionally, for things like ECNE and CWR. |
SYN URGP=0 | Packet Flags. |
OPT (020405B401010402) | TCP Options (optional) |
Comments
0 comments
Please sign in to leave a comment.