> Tom Williamson wrote:
>
> Can anybody point me to a good URL for decoding the denied packet log
> entries made by ipchains in RH 6.2? They look like this:
>
> May 21 07:20:52 cx449080-a kernel: Packet log: input DENY eth0
> PROTO=17 192.168.1.4:68 255.255.255.255:67 L=276 S=0x00 I=57684
> F=0x0000 T=128 (#7)
>
> I can figure out most of the simple stuff but the PROTO entries and
> the port numbers, plus all that stuff at the end - it would be nice to
> know what that means. <grin>
OK, by field:
May 21 07:20:52 -- obviously a date, but specifically the
datetime that this log entry was made, probably some
fraction of a second after the packet was denied.
cx449080-a -- The hostname of the machine that logged the packet.
(remember that syslogd can collect log info from multiple
remote machines)
kernel -- The syslog facility under which this was logged.
NB everything up to this point came from the syslogd or klogd, only the
REST
of this entry is from the kernel firewalling engine.
Packet log: -- stamped at the beginning of all firewall logging.
input -- The chain in which the logging command was defined.
DENY -- The action that was logged.
eth0 -- The interface that the packet arrived on.
PROTO=17 -- The IP Protocol ID, in this case UDP. This field is how
you tell if a given packet is UDP, TCP, ICMP, whatever. I
deduced that this was UDP based on other info in the log
entry, but also found corroboration in O'Reilly & Assoc's
Internet Core Protocols, by Eric A. Hall. Great book for
serious network geeks. For the definative answer, you should
read the relavent RFC, (available several places around the
internet) but I'll be the first to admit that the language
of most RFC's glazes the eyes of most hardened network
administrators.
192.168.1.4:68 -- Source IP address(192.168.1.4) and port(68).
255.255.255.255:67 -- Destination IP address(255.255.255.255) and
port(67).
key things to note about these are(in no particular order):
1. Source addr is in private ip space
2. Dest addr is all-hosts,all-nets broadcast
3. Routers typically don't forward all-hosts,all-nets broadcasts
4. UDP port 68 is listed in /etc/services as a bootp/dhcpd client
5. UDP port 67 is listed in /etc/services as a bootp/dhcpd server
6. per /etc/services and background knowledge, bootp is a UDP-based
protocol, thus the earlier proto=17=udp deduction.
L=276 -- I am unsure, but I think it might be the size,(or Length) of
the
data portion of the packet. Someone wiser than me will hopefully
comment. Upon reflection, it could be the Length of the header.
S=0x00 -- Again I am unsure, but I think this indicates whether the
packet
has the TCP SYN bit set, which this packet (being UDP) wouldn't have.
May also be a TCP sequence number, also wouldn't apply to a UDP
packet.
I=57684 -- I don't know.
F=0x0000 -- I don't know. (Fragment?)
T=128 (#7) -- I don't know. (TTL?)
Now, based on outside knowledge of bootp/dhcp protocols as well as
what's in this log
record what we have is a machine trying to renew it's dhcp lease for ip
address
192.168.1.4. This machine is probably located on the same network as
your eth0, but
that depends on the (mis)configuration of your upstream router. This
packet was
picked up by your ethernet driver, (because it is a broadcast) then
dumped by
a rule in the input chain of your kernel's firewall, incidentally a rule
stating
that you want to log hits.
>
> Thanks...
>
>
--
-------------------------------------
Sam Bayne - System Administrator
North Seattle Community College
[EMAIL PROTECTED] (206)527-3762
=====================================
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
