[CS-FSLUG] Strange log messages
Tim Young
Tim.Young at LightSys.org
Tue Dec 7 10:11:14 CST 2004
Iptables leaves a log that looks something like:
Dec 5 04:02:48 test kernel: TFW WAN-FIREWALL:IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:30:80:dd:23:38:08:00 SRC=172.18.153.89 DST=255.
255.255.255 LEN=345 TOS=0x00 PREC=0x00 TTL=255 ID=7435 PROTO=UDP SPT=67 DPT=68
LEN=325
Dec 5 04:02:48 test kernel: TFW WAN-FIREWALL:IN=eth1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:30:80:dd:23:38:08:00 SRC=10.51.208.1 DST=255.25
5.255.255 LEN=345 TOS=0x00 PREC=0x00 TTL=255 ID=7438 PROTO=UDP SPT=67 DPT=68
LEN=325
The TFW WAN-FIREWALL tag is about the only oddity in this chunk of log. The
rest of the log file reads as follows.
Dec 5 04:02:48 Date and time the message occured.
test The computer is named "test"
kernel: Iptables is handled through the kernel, and is automatically tagged
with a "kernel" to let you know where it originated from.
TFW WAN-FIREWALL I added this tag nyself because I have a nasty-to-read
iptables configuration and it is there for debugging purposes.
IN-eth1 which network interface it came in on.
etc...
Basically, the whole rest of the log, MAC, SRC, DST, etc. is a part of every
iptables log.
Anyway, the short of it is that I doubt the log was generated by iptables. I
believe ipchains has a similar looking log when it leaves a log behind.
But, in the off-chance that it still is iptables, the fact that it occurs every
20 min is still a good clue. You would have a particular type of packet
hitting your machine every 20 min (and only every 20 min). And it would be
just a single packet.
- -
Iptables does have a "MARK", and all it means is that you have tagged a packet
so you can do something else with it later. You can use it to have multiple
routing tables (sending port 80 packets through a different default gateway,
etc.) It can be very useful, but most normal humans are lucky enough not to
need to know stuff like that. I have used it twice in my life, and I do a fair
bit of firewalling.
- Tim Young
K Montgomery wrote:
> I concur. In the IP netfilter section of the kernel configuration,
> there are options to support MARK matching and a MARK target under
> packet mangling. I've never used these features, so I don't know what
> purpose they really serve. I would put them in the "if you don't know
> what it is, you don't need it" category.
>
> - Kathy
>
> On Dec 7, 2004, at 8:55 AM, Josiah Ritchie wrote:
>
> > I've seen these before and I think they were related to iptables. Don't
> > quote me on that, but it is a direction.
> >
> > JSR/
> >
> >
> > _______________________________________________
> > ChristianSource FSLUG mailing list
> > Christiansource at ofb.biz
> > http://cs.uninetsolutions.com
> >
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ofb.biz/pipermail/christiansource_ofb.biz/attachments/20041207/e68e6eeb/attachment.htm>
More information about the Christiansource
mailing list