In this article, i will show you how to analyze firewall log in Shorewall. Shorewall is one of the high-level tools for Netfilter. This is a simple reference for the format used by the netfilter log messages. Below is a Shorewall log message generated by netfilter:
Dec 5 01:21:37 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src=10.1.2.21 DST=10.1.2.32 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4923 DF PROTO=TCP SPT=42368 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Details in sequence of Shorewall log:
- Dec 5 01:21:37 monitoring12 kernel: -syslog prefix.
- Shorewall:net2all:DROP -The Shorewall policy and zones defines in /etc/shorewall/policy. The packet was received from outside Internet (net) to any other network or DMZ zone (all) will dropped.
- IN=eth0 -Interface where the packet was received from. Empty value means locally generated packets.
- OUT= -Interface where the packet was sent to. Empty value means locally received packets.
- MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 -Destination MAC: 00:07:e9:f1:9f:85, SourceMAC :00:07:e9:f1:a0:85, Type=08:00 (ethernet frame carried an IPv4 datagram)
- src=10.1.2.21 -Source IP address
- DST=10.1.2.32 -Destination IP address
- LEN=60 -Total length of IP packet in bytes
- TOS=0x00 -Type Of Service, "Type" field. Increasingly being replaced byDS and ECN. Refer to RFC 791 for IP Header info.
- PREC=0x00 -Type Of Service, "Precedence" field.Increasingly being replaced by DS and ECN. Refer to RFC 791 for IP Header info.
- TTL=64 -remaining Time To Live (TTL) is 64 hops.
- ID=4923 -Unique ID for this IP datagram, shared by all fragments if fragmented.
- DF -"Don't Fragment" flag.
- PROTO=TCP -Protocol name or number. Netfilter uses names for TCP,UDP,ICMP, AH and ESP. The other protocols are identified by number. List of protocols in /etc/protocols.
- SPT=42368 -Source port (TCP or UDP port). Refer to /etc/services for port numbers.
- DPT=22 -Destination port (TCP or UDP port)
- WINDOW=5840 -The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option.
- RES=0x00 -Reserved bits. Refer to RFC 793 for TCP Header Format info.
- SYN -SYN flag, only exchanged at TCP connection establishment.
- URGP=0 - The Urgent Pointer allows for urgent, out of band data transfer.