Menu
What's new
By:
Filters Better Search

Firewall logging question.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

S

soehest

Occasional Visitor
I am experimenting a bit with remote syslog and firewall logging and stumbled across this:

Code: 
Mar 17 02:02:14 server kernel: DROP  <4>DROP IN=eth0 OUT= MAC=08:60:6f:21:b6:f0:68:ef:bd:85:a6:d9:08:00 <1>SRC=xxx.xxx.xxx.xxx DST=yyy.yyy.yyy.yyy <1>LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=808 PROTO=TCP <1>SPT=57233 DPT=1234 SEQ=2861804318 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)
Mar 17 02:02:15 server kernel: DROP  <4>DROP IN=eth0 OUT= MAC=08:60:6f:21:b6:f0:68:ef:bd:85:a6:d9:08:00 <1>SRC=xxx.xxx.xxx.xxx DST=yyy.yyy.yyy.yyy <1>LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=34783 PROTO=TCP <1>SPT=57234 DPT=1234 SEQ=2861738783 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4

Drop is generated by issuing nmap -Pn -sS yyy.yyy.yyy.yyy -p 1234 at xxx.xxx.xxx.xxx. What I find odd is that it will log two times even with only a single scan. I have not experienced this with other types of routers/firewall where it will only log 1 line. Is this normal behavior?
 
Can you increase the verbosity of nmap and see exactly what packets it is sending?
 
That looks like two different packets with two different source ports and sequence numbers. It isn't logging a duplicate. It's logging what it is seeing twice...at least from what I can tell by what you provided.
 
Nullity said:
Can you increase the verbosity of nmap and see exactly what packets it is sending?
Click to expand...
Brilliant idea :)
Having tried nmap with options: nmap -v8 --packet-trace -Pn -sS yyy.yyy.yyy.yyy 1234 I can see you are both correct. There are actually two packets sent. Think the culprit may be in that my previous solution used --limit 1/m --limit-burst 1, which would explain why I only was seeing one packet. Thanks for the idea of increasing verbosity :)

Another question but related:
Code: 
Mar 17 02:02:14 server kernel: DROP <4>DROP IN=eth0 OUT= MAC=08:60:6f:21:b6:f0:68:ef:bd:85:a6:d9:08:00 <1>SRC=xxx.xxx.xxx.xxx DST=yyy.yyy.yyy.yyy <1>LEN=44 TOS=0x00 PREC=0x00 TTL=39 ID=808 PROTO=TCP <1>SPT=57233 DPT=1234 SEQ=2861804318 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (020405B4)

What are the <4> and <1> which is appended. My firewall log parser does not like them so I have to remove them which is not a big deal but a bit annoying. Especially when i do not know what those values in <> are?

Regards
 
You must log in or register to reply here.

Similar threads

P
Skynet show inbound block on Digital TV Vlan300
Replies
4
Views
466
poudenes
P
D
[ASUS AX86U Merlin] Blink Sync Module does not connect (connects to iphone hotspot)
Replies
0
Views
334
dasusm
D
J
AX86U constantly blocking repeated inbound connections
Replies
7
Views
1K
Tech9
Tech9
E
Need help with system log interpretation
Replies
1
Views
968
Tech9
Tech9
R
Skynet SkyNet, What's going on? should I be concerned?
Replies
18
Views
2K
Viktor Jaep
Viktor Jaep
Similar threads
Thread starter Title Forum Replies Date
fffddd URL filtering in the firewall does not take effect Asuswrt-Merlin 7
G Feature request: firewall url filter log Asuswrt-Merlin 0
B Firewall lan - vpn? Asuswrt-Merlin 0
John Tetreault How to open ipv6 firewall to a port on the router? Asuswrt-Merlin 4
C Port Forwarding and Firewall - not working as I expect Asuswrt-Merlin 4
C IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt Asuswrt-Merlin 4
colourofsound Asus-Merlin Firewall Asuswrt-Merlin 24
H Solved Beginners firewall question. Asuswrt-Merlin 6
S Cannot ping/skynet will not work while Firewall is Enabled. Asuswrt-Merlin 2
M Firewall rule to allow only a specific domain name Asuswrt-Merlin 13

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 855 (members: 40, guests: 815)
Top