[opensuse] What is the meaning of these firewall log entries?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (192.168.1.14) <0.4> 2016-02-10 15:12:20 Telcontar kernel - - - [962406.171985] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=16013 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] <0.4> 2016-02-10 15:12:20 Telcontar kernel - - - [962406.172846] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=16014 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3129 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] udp port 6666 is open on the firewall on both machines. It corresponds to "netconsole", which should be sending kernel log entries to another machine (192.168.1.15), where I run this to capture entries: netcat -u -l 6666 | tee -a remote_log On sending machine (192.168.1.14) I do, for testing (netconsole fails): netcat -u 192.168.1.15 6666 Hello world ^C and it is printed on 192.168.1.15, thus the firewall is open. Right? Then why those drops in the firewall? Maybe that's the reason that netconsole is failing. Both machines run 13.1. This same setup worked last December. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAla8kAAACgkQtTMYHG2NR9V2ygCfQxsrmTzP6tTrE4GI3Bp6JHSV 4sUAn3iDtOCxEIMlX4R428BhQKn0MR5J =NuEM -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Feb 11, 2016 at 02:43:27PM +0100, Carlos E. R. wrote:
(192.168.1.14) <0.4> 2016-02-10 15:12:20 Telcontar kernel - - - [962406.171985] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=16013 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] <0.4> 2016-02-10 15:12:20 Telcontar kernel - - - [962406.172846] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=16014 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3129 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ]
udp port 6666 is open on the firewall on both machines. It corresponds to "netconsole", which should be sending kernel log entries to another machine (192.168.1.15), where I run this to capture entries:
netcat -u -l 6666 | tee -a remote_log
On sending machine (192.168.1.14) I do, for testing (netconsole fails):
netcat -u 192.168.1.15 6666 Hello world ^C
and it is printed on 192.168.1.15, thus the firewall is open. Right? Then why those drops in the firewall? Maybe that's the reason that netconsole is failing.
Both machines run 13.1. This same setup worked last December.
It is a ICMP message. TYPE=3 CODE=3 is "destination/port not reachable". It was caused by a connection from 192.168.1.14 to 192.168.1.15 in UDP mode, port 6666: [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/11/2016 05:48 AM, Marcus Meissner wrote:
On Thu, Feb 11, 2016 at 02:43:27PM +0100, Carlos E. R. wrote:
(192.168.1.14) <0.4> 2016-02-10 15:12:20 Telcontar kernel - - - [962406.171985] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=16013 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] <0.4> 2016-02-10 15:12:20 Telcontar kernel - - - [962406.172846] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=16014 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3129 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ]
udp port 6666 is open on the firewall on both machines. It corresponds to "netconsole", which should be sending kernel log entries to another machine (192.168.1.15), where I run this to capture entries:
netcat -u -l 6666 | tee -a remote_log
On sending machine (192.168.1.14) I do, for testing (netconsole fails):
netcat -u 192.168.1.15 6666 Hello world ^C
and it is printed on 192.168.1.15, thus the firewall is open. Right? Then why those drops in the firewall? Maybe that's the reason that netconsole is failing.
Both machines run 13.1. This same setup worked last December.
It is a ICMP message. TYPE=3 CODE=3 is "destination/port not reachable".
It was caused by a connection from 192.168.1.14 to 192.168.1.15 in UDP mode, port 6666: [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ]
Ciao, Marcus
Could be the firewall dropping icmp on that interface, not realizing it is needed by some packages. Dropping ICMP at machines that are behind your main internet firewall is often less than productive. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2016-02-11 at 11:06 -0800, John Andersen wrote:
On 02/11/2016 05:48 AM, Marcus Meissner wrote:
On Thu, Feb 11, 2016 at 02:43:27PM +0100, Carlos E. R. wrote:
It is a ICMP message. TYPE=3 CODE=3 is "destination/port not reachable".
It was caused by a connection from 192.168.1.14 to 192.168.1.15 in UDP mode, port 6666: [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ]
Could be the firewall dropping icmp on that interface, not realizing it is needed by some packages. Dropping ICMP at machines that are behind your main internet firewall is often less than productive.
Ah. I see... but I think that ICMP is allowed on all my computers. Or so I thought. Ok, added an entry for it in the firewall of both machines. I'll see how it goes now... - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAla96poACgkQtTMYHG2NR9WWVACdEccYI5iwnnLcmrcqnNxt3e12 jdIAn3Ot5QnM8iTqaIE1oUbDbfsw+5wm =hav4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Feb 12, 2016 at 4:22 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
Could be the firewall dropping icmp on that interface, not realizing it is needed by some packages. Dropping ICMP at machines that are behind your main internet firewall is often less than productive.
Ah. I see... but I think that ICMP is allowed on all my computers. Or so I thought.
I do not understand why ICMP is sent at all. According to your description netcat is listening to UDP port 6666 on 192.168.1.15. This icmp usually means that nobody on destination host listens to the specific port. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-12 17:34, Mark Goldstein wrote:
On Fri, Feb 12, 2016 at 4:22 PM, Carlos E. R. <> wrote:
Could be the firewall dropping icmp on that interface, not realizing it is needed by some packages. Dropping ICMP at machines that are behind your main internet firewall is often less than productive.
Ah. I see... but I think that ICMP is allowed on all my computers. Or so I thought.
I do not understand why ICMP is sent at all. According to your description netcat is listening to UDP port 6666 on 192.168.1.15. This icmp usually means that nobody on destination host listens to the specific port.
This may be related to the main problem, that I can't make netconsole to work again. It was working during Novemeber-December, till a reboot. http://lists.opensuse.org/opensuse/2016-01/msg00679.html [opensuse] Can't get remote kernel logging working. Basically, I do: modprobe netconsole cd /sys/kernel/config/netconsole/ mkdir target1 cd target1/ echo "00:03:0D:05:17:FC" > remote_mac echo 6666 > remote_port echo 192.168.1.15 > remote_ip cat dev_name echo 1 > enabled But nothing arrives at the destination machine 192.168.1.15. however, netcat works. Well, it was working three hours ago, now it doesn't (and nothing on both firewalls). Oh, ok, it works after restarting netcat on the destination. Weird. That's why I was interested in these firewall log entries. I know (now) that it is not the first time I have got caught by this issue of icmp, I opened it in the firewall, then I forgot. Sigh. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/12/2016 11:19 AM, Carlos E. R. wrote:
That's why I was interested in these firewall log entries. I know (now) that it is not the first time I have got caught by this issue of icmp, I opened it in the firewall, then I forgot. Sigh.
Are we sure that netconsole is involved at in in the icmp issue? You only see the messages because your firewall blocks icmp. Were you not blocking, the would just go through and you would never know. DHCP servers ping before leasing an IP, just to make sure no one manually assigned it. There are probably more legitimate uses for ping on your network as well. Its uncommon to block icmp on your LAN, but common to block it on your Public facing Nic. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAla+oI0ACgkQv7M3G5+2DLKNQQCdHISzj/hYtcvhtDw/DauV88Z4 bNgAn0raAtZtezt30PgFrGubAn4QnlgC =ipnF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-13 04:18, John Andersen wrote:
On 02/12/2016 11:19 AM, Carlos E. R. wrote:
That's why I was interested in these firewall log entries. I know (now) that it is not the first time I have got caught by this issue of icmp, I opened it in the firewall, then I forgot. Sigh.
Are we sure that netconsole is involved at in in the icmp issue?
Well, it is configured to use the 6666 port and those machines, as printed in the firewall log message, so the assumption is that it is involved, yes. Other log entries, that show netconsole is in use in that port: <0.6> 2016-02-12 19:53:22 Telcontar kernel - - - [1047826.543640] netconsole: network logging stopped on interface eth0 as it unregistered <0.6> 2016-02-12 19:53:32 Telcontar kernel - - - [1047837.069431] netpoll: netconsole: local port 6666 <0.6> 2016-02-12 19:53:32 Telcontar kernel - - - [1047837.069440] netpoll: netconsole: local IPv4 address 192.168.1.14 <0.6> 2016-02-12 19:53:32 Telcontar kernel - - - [1047837.069441] netpoll: netconsole: interface 'eth0' <0.6> 2016-02-12 19:53:32 Telcontar kernel - - - [1047837.069442] netpoll: netconsole: remote port 6666 <0.6> 2016-02-12 19:53:32 Telcontar kernel - - - [1047837.069444] netpoll: netconsole: remote IPv4 address 192.168.1.15 <0.6> 2016-02-12 19:53:32 Telcontar kernel - - - [1047837.069445] netpoll: netconsole: remote ethernet address 00:03:0d:05:17:fc <0.6> 2016-02-12 19:53:32 Telcontar kernel - - - [1047837.069477] console [netcon0] enabled <0.6> 2016-02-12 19:53:32 Telcontar kernel - - - [1047837.069478] netconsole: network logging started <0.6> 2016-02-12 19:53:47 Telcontar kernel - - - [1047852.213903] netpoll: netconsole: local port 6665 <0.6> 2016-02-12 19:53:47 Telcontar kernel - - - [1047852.213906] netpoll: netconsole: local IPv4 address 0.0.0.0 <0.6> 2016-02-12 19:53:47 Telcontar kernel - - - [1047852.213908] netpoll: netconsole: interface 'eth0' <0.6> 2016-02-12 19:53:47 Telcontar kernel - - - [1047852.213909] netpoll: netconsole: remote port 6666 <0.6> 2016-02-12 19:53:47 Telcontar kernel - - - [1047852.213910] netpoll: netconsole: remote IPv4 address 192.168.1.15 <0.6> 2016-02-12 19:53:47 Telcontar kernel - - - [1047852.213912] netpoll: netconsole: remote ethernet address 00:03:0d:05:17:fc <0.6> 2016-02-12 19:53:47 Telcontar kernel - - - [1047852.213914] netpoll: netconsole: local IP 192.168.1.14 <0.6> 2016-02-12 19:53:47 Telcontar kernel - - - [1047852.213916] netconsole: network logging started
You only see the messages because your firewall blocks icmp. Were you not blocking, the would just go through and you would never know.
Well, yes, but not now. I have explicitly opened icmp, but I have to wait a day or more to see if there are more entries in the log.
DHCP servers ping before leasing an IP, just to make sure no one manually assigned it. There are probably more legitimate uses for ping on your network as well.
Ping was never blocked. It was ICMP which was blocked, but not ping.
Its uncommon to block icmp on your LAN, but common to block it on your Public facing Nic.
I treat all internal interfaces as external, because I do not trust the firewall on the router, which is provided by my ISP. I have little control over it, and it does not receive security updates, AFAIK. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/12/2016 07:47 PM, Carlos E. R. wrote:
Ping was never blocked. It was ICMP which was blocked, but not ping.
Is there a difference? https://en.wikipedia.org/wiki/Ping_(networking_utility) - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAla+rTwACgkQv7M3G5+2DLKLuACfUXjtIzdVTCwJsbz8Y9mNW9iq VfoAnjxBOHrC/ZFkhGMLPP51OrrdClrt =MqO6 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-13 05:12, John Andersen wrote:
On 02/12/2016 07:47 PM, Carlos E. R. wrote:
Ping was never blocked. It was ICMP which was blocked, but not ping.
Is there a difference?
Yes. Regardless of what that article might say, the command "ping 192.168.1.15" was working with icmp blocked. ICMP is a protocol, and there are several types. A ping is "icmp echo". Look, I have just disabled icmp, and tried ping; it works: Telcontar:~ # ping 192.168.1.15 PING 192.168.1.15 (192.168.1.15) 56(84) bytes of data. 64 bytes from 192.168.1.15: icmp_seq=1 ttl=64 time=0.334 ms 64 bytes from 192.168.1.15: icmp_seq=2 ttl=64 time=0.334 ms ^C --- 192.168.1.15 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.334/0.334/0.334/0.000 ms Telcontar:~ # The SuSEfirewall2 treats "pings" differently. Perhaps this one: # Allow the firewall to reply to icmp echo requests # # defaults to "yes" if not set # FW_ALLOW_PING_FW="" Notice that the default is yes. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/12/2016 08:32 PM, Carlos E. R. wrote:
On 2016-02-13 05:12, John Andersen wrote:
On 02/12/2016 07:47 PM, Carlos E. R. wrote:
Ping was never blocked. It was ICMP which was blocked, but not ping.
Is there a difference?
Yes.
Regardless of what that article might say, the command "ping 192.168.1.15" was working with icmp blocked.
ICMP is a protocol, and there are several types. A ping is "icmp echo".
Look, I have just disabled icmp, and tried ping; it works:
Telcontar:~ # ping 192.168.1.15 PING 192.168.1.15 (192.168.1.15) 56(84) bytes of data. 64 bytes from 192.168.1.15: icmp_seq=1 ttl=64 time=0.334 ms 64 bytes from 192.168.1.15: icmp_seq=2 ttl=64 time=0.334 ms ^C --- 192.168.1.15 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.334/0.334/0.334/0.000 ms Telcontar:~ #
The SuSEfirewall2 treats "pings" differently.
Perhaps this one:
# Allow the firewall to reply to icmp echo requests # # defaults to "yes" if not set # FW_ALLOW_PING_FW=""
Notice that the default is yes.
If you can ping then ping is allowed, and susefirewall is not running or is not configured to block. Defaults to YES if not set, and yours shows it is not set. So you are not blocking ping. Susefirewall is very special (so I'm told), yet even it does not somehow rewrite RFC 792, one of the oldest RFCs defining the internet. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAla+tdwACgkQv7M3G5+2DLJOjwCdFd/+y0Y+z4MqbH/DjNgt+M4c buwAniCs3uoxa5SNo81opY3ZALWzuOpj =FBQx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 12 Feb 2016, John Andersen wrote:
Susefirewall is very special (so I'm told), yet even it does not somehow rewrite RFC 792, one of the oldest RFCs defining the internet.
Sorry if this is a bit off topic. It is clear that a lot of thought has gone into the SuSEfirewall2, but there are few comments in the code to explain the underlying thinking. To make it clearer what is happening, I found it instructive to add the sequence -m comment --comment "${FUNCNAME}[${LINENO}]" to all those iptables commmands which create firewall rules. Be patient, there are 159 lines to update in 13.2, but a true l33t with vi and sed would have no problem. Here is an example of the commented output of command iptables -n --line-numbers -t filter -L INPUT Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* set_basic_rules[768] */ 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED /* allow_basic_established[685] */ 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED /* allow_basic_established[699] */ 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 match-set hosts.allow-rule-1-inet src /* [2.1.ssh] */ 5 input_ext all -- 0.0.0.0/0 0.0.0.0/0 /* fork_to_chains[1488] */ 6 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 /* finish_chains[1507] */ LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET " 7 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* finish_chains[1508] */ This could even be a permanent feature of /sbin/SuSEfirewall2 Roger -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 12 Feb 2016, John Andersen wrote:
Susefirewall is very special (so I'm told), yet even it does not somehow rewrite RFC 792, one of the oldest RFCs defining the internet.
Sorry if this is a bit off topic. It is clear that a lot of thought has gone into the SuSEfirewall2, but there are few comments in the code to explain the underlying thinking. To make it clearer what is happening, I found it instructive to add the sequence
-m comment --comment "${FUNCNAME}[${LINENO}]"
to all those iptables commmands which create firewall rules. Be patient, there are 159 lines to update in 13.2, but a true l33t with vi and sed would have no problem. Here is an example of the commented output of command iptables -n --line-numbers -t filter -L INPUT
Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* set_basic_rules[768] */ 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED /* allow_basic_established[685] */ 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED /* allow_basic_established[699] */ 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 match-set hosts.allow-rule-1-inet src /* [2.1.ssh] */ 5 input_ext all -- 0.0.0.0/0 0.0.0.0/0 /* fork_to_chains[1488] */ 6 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 /* finish_chains[1507] */ LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET " 7 DROP all -- 0.0.0.0/0 0.0.0.0/0 /* finish_chains[1508] */
This could even be a permanent feature of /sbin/SuSEfirewall2
Roger This is not SUSEfirewall's doing, it is iptables. You could craft all
On 13/02/16 04:23 AM, Roger Price wrote: those rules by hand, if you were to be so brave ;) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 13 Feb 2016, Darryl Gregorash wrote:
On 13/02/16 04:23 AM, Roger Price wrote:
On Fri, 12 Feb 2016, John Andersen wrote: ... to add the sequence
-m comment --comment "${FUNCNAME}[${LINENO}]"
to all those iptables commmands which create firewall rules.
This is not SUSEfirewall's doing, it is iptables.
Perhaps I wasn't clear enough - the rules shown, with exception of one, were defined by /sbin/SuSEfirewall2, part of SuSEfirewall. It's the SUSE firewall which is commenting it's own action in the rules it creates. Command iptables... displays the firewall created by SuSEfirewall2.
You could craft all those rules by hand, if you were to be so brave ;)
My idea of courage is to stand behind someone bigger ;) Roger -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-13 05:12, John Andersen wrote: >> On 02/12/2016 07:47 PM, Carlos E. R. wrote: >>> Ping was never blocked. It was ICMP which was blocked, but not ping. >> >> Is there a difference? >> >> >> https://en.wikipedia.org/wiki/Ping_(networking_utility) > > Yes. > > Regardless of what that article might say, the command "ping > 192.168.1.15" was working with icmp blocked. > > ICMP is a protocol, and
Notice that the default is yes. > You're saying the same thing as John, except slightly different, and a lot more complicated. Iptables allows you to do an awful lot of nifty
On 12/02/16 10:32 PM, Carlos E. R. wrote: there are several types. A ping is "icmp echo". > > > Look, I have just disabled icmp, and tried ping; it works: > > Telcontar:~ # ping 192.168.1.15 > PING 192.168.1.15 (192.168.1.15) 56(84) bytes of data. > 64 bytes from 192.168.1.15: icmp_seq=1 ttl=64 time=0.334 ms > 64 bytes from 192.168.1.15: icmp_seq=2 ttl=64 time=0.334 ms > ^C > --- 192.168.1.15 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 999ms > rtt min/avg/max/mdev = 0.334/0.334/0.334/0.000 ms > Telcontar:~ # > > The SuSEfirewall2 treats "pings" differently. > > Perhaps this one: > > # Allow the firewall to reply to icmp echo requests > # > # defaults to "yes" if not set > # > FW_ALLOW_PING_FW="" things, including allowing ping requests while blocking other ICMP traffic. A ping (echo request) is an ICMP type 8 message. The response is an echo reply, which is an ICMP type 0. None of which is relevant I think. Marcus said it in the very first response to you: the destination host appears to be blocking UDP on port 6666. That is pretty much obvious in the logged firewall messages. The destination's response is a "port unreachable" response, ie. an ICMP type 3/code 3 message. If you will just open UDP on port 6666 on your LAN systems, I think you will find all is fine. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-13 13:26, Darryl Gregorash wrote:
On 12/02/16 10:32 PM, Carlos E. R. wrote:
You're saying the same thing as John, except slightly different, and a lot more complicated. Iptables allows you to do an awful lot of nifty things, including allowing ping requests while blocking other ICMP traffic.
Yes.
A ping (echo request) is an ICMP type 8 message. The response is an echo reply, which is an ICMP type 0.
Yes.
None of which is relevant I think. Marcus said it in the very first response to you:
But which I did not understand.
the destination host appears to be blocking UDP on port 6666. That is pretty much obvious in the logged firewall messages. The destination's response is a "port unreachable" response, ie. an ICMP type 3/code 3 message.
If you will just open UDP on port 6666 on your LAN systems, I think you will find all is fine.
But the thing is, the port is open! Has been opened for months. Which is why it doesn't make sense. And the other detail, which I found out today, is that the event *only* happens during the process of going into hibernation. I saw the messages flashing by in the screen, yesterday, and today I read them in the log. The destination machine doesn't log any blocked package at that time in the firewall log (both machines run oS 13.1), but it is not set to log all, anyway. But the content of those packets on port 6666 are being correctly written to the intended file, so they are traversing the firewall correctly. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
13.02.2016 06:18, John Andersen пишет:
On 02/12/2016 11:19 AM, Carlos E. R. wrote:
That's why I was interested in these firewall log entries. I know (now) that it is not the first time I have got caught by this issue of icmp, I opened it in the firewall, then I forgot. Sigh.
Are we sure that netconsole is involved at in in the icmp issue?
You only see the messages because your firewall blocks icmp.
No. He sees this message because other system blocks UDP [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ]
Were you not blocking, the would just go through and you would never know.
DHCP servers ping before leasing an IP, just to make sure no one manually assigned it. There are probably more legitimate uses for ping on your network as well.
Its uncommon to block icmp on your LAN, but common to block it on your Public facing Nic.
On 2016-02-13 05:56, Andrei Borzenkov wrote:
No. He sees this message because other system blocks UDP
[SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ]
But that is not possible. I have explicitly open "udp,6666" on both machines: FW_TRUSTED_NETS="192.168.1.14,udp,syslog 192.168.1.14,tcp,514 192.168.1.14,udp,6666 192.168.1.14,icmp" and conversely on the other machine. In fact, "netcat -u 192.168.1.15 6666" succeeds to send text to the other machine. The strange thing is that it stops working after some time (hours?), and I have to restart on the listener: netcat -u -l 6666 | tee -a remote_log Apparently, it happens when I stop the sender. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
13.02.2016 08:08, Carlos E. R. пишет:
On 2016-02-13 05:56, Andrei Borzenkov wrote:
No. He sees this message because other system blocks UDP
[SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ]
But that is not possible. I have explicitly open "udp,6666" on both machines:
OK "blocks" was the wrong word, sorry.
FW_TRUSTED_NETS="192.168.1.14,udp,syslog 192.168.1.14,tcp,514 192.168.1.14,udp,6666 192.168.1.14,icmp"
and conversely on the other machine.
In fact, "netcat -u 192.168.1.15 6666" succeeds to send text to the other machine.
The strange thing is that it stops working after some time (hours?), and I have to restart on the listener:
Yes. The message you get means nobody is listening on this port and you just confirmed that it stops working after some time - which very much sounds like is stops listening. Check timestamps on port unreachable messages, compare with timestamps when it stops working.
netcat -u -l 6666 | tee -a remote_log
Apparently, it happens when I stop the sender.
13.02.2016 08:08, Carlos E. R. пишет: >> On 2016-02-13 05:56, Andrei Borzenkov wrote: >> >>> No. He sees this message because other system blocks UDP >>> >>> [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 >>> TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] >> >> But that is not possible. I have explicitly open "udp,6666" on both >> machines: > > OK "blocks" was the wrong word, sorry. The problem is, "blocks" is the /right/ word. AFAIK, you will only get a "port unreachable" reply from a remote system *if and only if* the port is blocked by the remote's firewall. Someone correct me if I am wrong, but I do believe, if the port is open but there is no service listening,
FW_TRUSTED_NETS="192.168.1.14,udp,syslog 192.168.1.14,tcp,514 192.168.1.14,udp,6666 192.168.1.14,icmp" >> >> and conversely on
On 12/02/16 11:47 PM, Andrei Borzenkov wrote: then the message will simply time out without a response. Perhaps iptables is smart enough to figure that out, and then send a "time exceeded" response (ICMP type 11), but that certainly is not what is happening here. the other machine. >> >> >> In fact, "netcat -u 192.168.1.15 6666" succeeds to send text to the >> other machine. >> >> >> The strange thing is that it stops working after some time (hours?), >> and I have to restart on the listener: >> > > Yes. The message you get means nobody is listening on this port and you > just confirmed that it stops working after some time - which very much > sounds like is stops listening. Check timestamps on port unreachable > messages, compare with timestamps when it stops working. > > >> netcat -u -l 6666 | tee -a remote_log >>
Apparently, it happens when I stop the sender. >> > >
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-13 13:32, Darryl Gregorash wrote:
On 12/02/16 11:47 PM, Andrei Borzenkov wrote:
The problem is, "blocks" is the /right/ word. AFAIK, you will only get a "port unreachable" reply from a remote system *if and only if* the port is blocked by the remote's firewall. Someone correct me if I am wrong, but I do believe, if the port is open but there is no service listening, then the message will simply time out without a response.
And it is open in the firewall.
Perhaps iptables is smart enough to figure that out, and then send a "time exceeded" response (ICMP type 11), but that certainly is not what is happening here.
Correct. I have determined some important info: the even happens only when I hibernate the sender machine (...14). I saw the messages going by in the screen while the machine hibernates. The timestamp corresponds to the thawing, because then is when it has a chance to write them: <0.4> 2016-02-13 14:23:10 Telcontar kernel - - - [1086086.829327] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=62 TOS=0x00 PREC=0xC0 TTL=64 ID=52521 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=34 TOS=0x00 PREC=0x00 TTL=64 ID=3399 PROTO=UDP SPT=6666 DPT=6666 LEN=14 ] <0.4> 2016-02-13 14:23:12 Telcontar kernel - - - [1086086.830161] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=107 TOS=0x00 PREC=0xC0 TTL=64 ID=52522 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=3401 PROTO=UDP SPT=6666 DPT=6666 LEN=59 ] <0.4> 2016-02-13 14:23:12 Telcontar kernel - - - [1086086.831316] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=369 TOS=0x00 PREC=0xC0 TTL=64 ID=52523 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=341 TOS=0x00 PREC=0x00 TTL=64 ID=3403 PROTO=UDP SPT=6666 DPT=6666 LEN=321 ] <0.4> 2016-02-13 14:23:12 Telcontar kernel - - - [1086086.831843] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=370 TOS=0x00 PREC=0xC0 TTL=64 ID=52524 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=342 TOS=0x00 PREC=0x00 TTL=64 ID=3405 PROTO=UDP SPT=6666 DPT=6666 LEN=322 ] <0.4> 2016-02-13 14:23:12 Telcontar kernel - - - [1086086.832754] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=372 TOS=0x00 PREC=0xC0 TTL=64 ID=52525 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=3407 PROTO=UDP SPT=6666 DPT=6666 LEN=324 ] During all this time, on 192.168.1.15 there is a "netcat -u -l 6666 | tee -a remote_log" process logging entries coming from 192.168.1.14, by netconsole, which TODAY is indeed working, as I got entries in the remote_log file: [1086086.299979] Syncing filesystems ... [1086086.299979] Syncing filesystems ... done. [1086086.828979] Freezing user space processes ... [1086086.829327] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=62 TOS=0x00 PREC=0xC0 TTL=64 ID=52521 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=34 TOS=0x00 PREC=0x00 TTL=64 ID=3399 PROTO=UDP SPT=6666 DPT=6666 LEN=14 ] [1086086.830161] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=107 TOS=0x00 PREC=0xC0 TTL=64 ID=52522 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=3401 PROTO=UDP SPT=6666 DPT=6666 LEN=59 ] ... ... [1086096.119680] Restarting kernel threads ... done. [1086096.125260] Restarting tasks ... done. So everything is working now, except those dropped ICMP messages despite the port being open, and the packages being accepted and logged. But only during the hibernation process. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2016-02-13 at 14:49 +0100, Carlos E. R. wrote:
On 2016-02-13 13:32, Darryl Gregorash wrote:
On 12/02/16 11:47 PM, Andrei Borzenkov wrote:
I have determined some important info: the even happens only when I hibernate the sender machine (...14). I saw the messages going by in the screen while the machine hibernates. The timestamp corresponds to the thawing, because then is when it has a chance to write them:
It may be related to these entries in the sender machine log: <3.4> 2016-02-13 06:30:37 Telcontar pm-utils - - - Hibernating the system now (04)... <3.5> 2016-02-13 06:30:37 Telcontar pm-utils - - - There appears not be any pending nntp post to be sent. I just checked :-) <1.5> 2016-02-13 06:30:37 Telcontar network 2055 - - redirecting to "systemctl --signal=9 kill network.service" <3.5> 2016-02-13 06:30:37 Telcontar systemd 1 - - network@eth0.service: main process exited, code=killed, status=9/KILL <3.6> 2016-02-13 06:30:37 Telcontar systemd 1 - - Stopping LSB: Network time protocol daemon (ntpd)... <3.6> 2016-02-13 06:30:38 Telcontar ntp 2079 - - Shutting down network time protocol daemon (NTPD)..done <1.6> 2016-02-13 06:30:38 Telcontar org.freedesktop.UDisks 1047 - - **** /proc/self/mountinfo changed <3.6> 2016-02-13 06:30:38 Telcontar systemd 1 - - Stopped LSB: Network time protocol daemon (ntpd). <3.4> 2016-02-13 06:30:38 Telcontar pm-utils - - - Hibernating (95)... <0.7> 2016-02-13 06:31:01 Telcontar kernel - - - [1086085.630918] PM: Marking nosave pages: [mem 0x0009f000-0x000fffff] I think that it is not that the receiver has the port closed, but that the sender machine is halting its own network service causing spurious log entries on the firewall (when packets can not be sent by the kernel netconsole), with incorrect content. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAla/PPgACgkQtTMYHG2NR9Ws4ACePHh3hraGs4t1K04ac1PoqU24 UIkAn1lb943o0TZUO4H7U+7W2bXfFhHv =P3k1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 13/02/16 08:26 AM, Carlos E. R. wrote:
On Saturday, 2016-02-13 at 14:49 +0100, Carlos E. R. wrote:
On 2016-02-13 13:32, Darryl Gregorash wrote:
On 12/02/16 11:47 PM, Andrei Borzenkov wrote:
I have determined some important info: the even happens only when I hibernate the sender machine (...14). I saw the messages going by in the screen while the machine hibernates. The timestamp corresponds to the thawing, because then is when it has a chance to write them:
It may be related to these entries in the sender machine log:
<3.4> 2016-02-13 06:30:37 Telcontar pm-utils - - - Hibernating the system now (04)... <3.5> 2016-02-13 06:30:37 Telcontar pm-utils - - - There appears not be any pending nntp post to be sent. I just checked :-) <1.5> 2016-02-13 06:30:37 Telcontar network 2055 - - redirecting to "systemctl --signal=9 kill network.service" <3.5> 2016-02-13 06:30:37 Telcontar systemd 1 - - network@eth0.service: main process exited, code=killed, status=9/KILL <3.6> 2016-02-13 06:30:37 Telcontar systemd 1 - - Stopping LSB: Network time protocol daemon (ntpd)... <3.6> 2016-02-13 06:30:38 Telcontar ntp 2079 - - Shutting down network time protocol daemon (NTPD)..done <1.6> 2016-02-13 06:30:38 Telcontar org.freedesktop.UDisks 1047 - - **** /proc/self/mountinfo changed <3.6> 2016-02-13 06:30:38 Telcontar systemd 1 - - Stopped LSB: Network time protocol daemon (ntpd). <3.4> 2016-02-13 06:30:38 Telcontar pm-utils - - - Hibernating (95)... <0.7> 2016-02-13 06:31:01 Telcontar kernel - - - [1086085.630918] PM: Marking nosave pages: [mem 0x0009f000-0x000fffff]
I think that it is not that the receiver has the port closed, but that the sender machine is halting its own network service causing spurious log entries on the firewall (when packets can not be sent by the kernel netconsole), with incorrect content.
If the sender machine (Telcontar is ...14, I am assuming) has halted its network, then its firewall should be closed to all traffic, outbound as well as inbound. In that case, nothing should be reaching ...15, so there should be no "port unreachable" replies from that system. At most, you should be seeing default dropped *outbound* packets addressed to port 6666 on ....15, not ICMP responses from the remote system. Very, very very strange..... to make sense of this, we are almost required to believe that Telcontar is dropping outbound UDP packets, but instead is logging incoming ICMP responses which are being dropped and logged. If you have the time, would you be willing to log *all* firewall traffic on *both* systems, and then wade through both logs to see if there is any additional evidence to suggest what is going on? That will be a lot of work, I know, but it may be the only way we will be able to get to the bottom of this. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 13/02/16 07:49 AM, Carlos E. R. wrote:
On 2016-02-13 13:32, Darryl Gregorash wrote:
On 12/02/16 11:47 PM, Andrei Borzenkov wrote:
During all this time, on 192.168.1.15 there is a "netcat -u -l 6666 | tee -a remote_log" process logging entries coming from 192.168.1.14, by netconsole, which TODAY is indeed working, as I got entries in the remote_log file:
[1086086.299979] Syncing filesystems ... [1086086.299979] Syncing filesystems ... done. [1086086.828979] Freezing user space processes ... [1086086.829327] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=62 TOS=0x00 PREC=0xC0 TTL=64 ID=52521 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=34 TOS=0x00 PREC=0x00 TTL=64 ID=3399 PROTO=UDP SPT=6666 DPT=6666 LEN=14 ] [1086086.830161] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=107 TOS=0x00 PREC=0xC0 TTL=64 ID=52522 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=3401 PROTO=UDP SPT=6666 DPT=6666 LEN=59 ] ... ... [1086096.119680] Restarting kernel threads ... done. [1086096.125260] Restarting tasks ... done.
So everything is working now, except those dropped ICMP messages despite the port being open, and the packages being accepted and logged. But only during the hibernation process.
These log entries are from ...14, yes? If these are being sent by ...15, perhaps that system might have corresponding log entries to indicate why the ICMP packets are being sent in the first place. If ...15's firewall is open on port 6666, there is no reason at all why it should be sending "port unreachable" responses. Since there is something listening on that port on that system, there should be no ICMP messages from ..15 to ..14 at all. =-O :-\ :'( (I can't find a smiley for "tearing my hair out" so I picked 3 alternates ;) ) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-13 18:27, Darryl Gregorash wrote:
On 13/02/16 08:26 AM, Carlos E. R. wrote:
I think that it is not that the receiver has the port closed, but that the sender machine is halting its own network service causing spurious log entries on the firewall (when packets can not be sent by the kernel netconsole), with incorrect content.
If the sender machine (Telcontar is ...14, I am assuming)
Correct.
has halted its network, then its firewall should be closed to all traffic, outbound as well as inbound. In that case, nothing should be reaching ...15, so there should be no "port unreachable" replies from that system.
Yep.
At most, you should be seeing default dropped *outbound* packets addressed to port 6666 on ....15, not ICMP responses from the remote system.
Very, very very strange..... to make sense of this, we are almost required to believe that Telcontar is dropping outbound UDP packets, but instead is logging incoming ICMP responses which are being dropped and logged.
If you have the time, would you be willing to log *all* firewall traffic on *both* systems, and then wade through both logs to see if there is any additional evidence to suggest what is going on? That will be a lot of work, I know, but it may be the only way we will be able to get to the bottom of this.
A tcp dump? Or tell SuSEfirewall2 to log everything? FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" I can set all of them to "yes" prior to hibernation, and undo after. It is simple to do. I need to code something first. I need a pipe that receives text entries, and writes them to stdout prefixed with a timestamp. I coded this years ago, but apparently I lost it. I know how to do it, just that I wanted to avoid it. On 2016-02-13 18:38, Darryl Gregorash wrote:
On 13/02/16 07:49 AM, Carlos E. R. wrote:
On 2016-02-13 13:32, Darryl Gregorash wrote:
On 12/02/16 11:47 PM, Andrei Borzenkov wrote:
During all this time, on 192.168.1.15 there is a "netcat -u -l 6666 | tee -a remote_log" process logging entries coming from 192.168.1.14, by netconsole, which TODAY is indeed working, as I got entries in the remote_log file:
[1086086.299979] Syncing filesystems ... [1086086.299979] Syncing filesystems ... done. [1086086.828979] Freezing user space processes ... [1086086.829327] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=62 TOS=0x00 PREC=0xC0 TTL=64 ID=52521 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=34 TOS=0x00 PREC=0x00 TTL=64 ID=3399 PROTO=UDP SPT=6666 DPT=6666 LEN=14 ] [1086086.830161] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=107 TOS=0x00 PREC=0xC0 TTL=64 ID=52522 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=3401 PROTO=UDP SPT=6666 DPT=6666 LEN=59 ] ... ... [1086096.119680] Restarting kernel threads ... done. [1086096.125260] Restarting tasks ... done.
So everything is working now, except those dropped ICMP messages despite the port being open, and the packages being accepted and logged. But only during the hibernation process.
These log entries are from ...14, yes?
Yes.
If these are being sent by ...15, perhaps that system might have corresponding log entries to indicate why the ICMP packets are being sent in the first place.
Not in the firewall log. The instant of interest is 06:30:37: <3.6> 2016-02-13T06:20:01.030169+01:00 AmonLanc systemd 1 - - Started Session 6981 of user root. <3.3> 2016-02-13T06:29:18.004882+01:00 AmonLanc nmbd 2044 - - [2016/02/13 06:29:18.004425, 0] ../source3/nmbd/nmbd_browsesync.c:354(find_domain_master_n <3.3> 2016-02-13T06:29:18.005770+01:00 AmonLanc nmbd 2044 - - find_domain_master_name_query_fail: <3.3> 2016-02-13T06:29:18.006400+01:00 AmonLanc nmbd 2044 - - Unable to find the Domain Master Browser name VALINOR<1b> for the workgroup VALINOR. <3.3> 2016-02-13T06:29:18.006963+01:00 AmonLanc nmbd 2044 - - Unable to sync browse lists in this workgroup. <3.6> 2016-02-13T06:30:01.388548+01:00 AmonLanc systemd 1 - - Starting Session 6982 of user root. <3.6> 2016-02-13T06:30:01.390475+01:00 AmonLanc systemd 1 - - Started Session 6982 of user root. <3.6> 2016-02-13T06:30:01.421528+01:00 AmonLanc systemd 1 - - Starting Session 6983 of user root. <3.6> 2016-02-13T06:30:01.423313+01:00 AmonLanc systemd 1 - - Started Session 6983 of user root. <3.6> 2016-02-13T06:40:02.031776+01:00 AmonLanc systemd 1 - - Starting Session 6984 of user root. <3.6> 2016-02-13T06:40:02.036370+01:00 AmonLanc systemd 1 - - Started Session 6984 of user root. <3.3> 2016-02-13T06:44:23.767151+01:00 AmonLanc nmbd 2044 - - [2016/02/13 06:44:23.766771, 0] ../source3/nmbd/nmbd_browsesync.c:354(find_domain_master_n The nmbd entries are unrelated, I see more entries all the time.
If ...15's firewall is open on port 6666, there is no reason at all why it should be sending "port unreachable" responses. Since there is something listening on that port on that system, there should be no ICMP messages from ..15 to ..14 at all.
=-O :-\ :'( (I can't find a smiley for "tearing my hair out" so I picked 3 alternates ;) )
Yes, that's the curious thing about it. My hypothesis is that it goes nuts while Telcontar is handling the start into hibernation and the network interface is closed. The "netconsole" thing is pretty low level in the kernel, because it has to work when other things do not work. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2016-02-13 at 19:50 +0100, Carlos E. R. wrote:
A tcp dump? Or tell SuSEfirewall2 to log everything?
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no"
I can set all of them to "yes" prior to hibernation, and undo after. It is simple to do.
Done. Let's extract the firewall data. <3.4> 2016-02-13 21:01:07 Telcontar pm-utils - - - Hibernating the system now (04)... <3.5> 2016-02-13 21:01:07 Telcontar pm-utils - - - There appears not be any pending nntp post to be sent. I just checked :-) <1.5> 2016-02-13 21:01:07 Telcontar network 24855 - - redirecting to "systemctl --signal=9 kill network.service" <3.5> 2016-02-13 21:01:07 Telcontar systemd 1 - - network@eth0.service: main process exited, code=killed, status=9/KILL <3.6> 2016-02-13 21:01:07 Telcontar systemd 1 - - Stopping LSB: Network time protocol daemon (ntpd)... <3.6> 2016-02-13 21:01:07 Telcontar ntp 24879 - - Shutting down network time protocol daemon (NTPD)..done <1.6> 2016-02-13 21:01:07 Telcontar org.freedesktop.UDisks 1047 - - **** /proc/self/mountinfo changed <3.6> 2016-02-13 21:01:07 Telcontar systemd 1 - - Stopped LSB: Network time protocol daemon (ntpd). <3.4> 2016-02-13 21:01:07 Telcontar pm-utils - - - Hibernating (95)... So I have to look around 21:01:07 There are too many entries, so I'll filter. grep "192.168.1" /var/log/firewall | less -S Better, but I had to clear out some entries manually. <0.4> 2016-02-13 21:01:00 Telcontar kernel - - - [1109974.805902] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:f8:8e:85:64:78:f2:08:00 SRC=8.8.8.8 DST=192.168.1.14 LEN=109 TOS=0x00 PREC=0x00 TTL=53 ID=50379 PROTO=UDP SPT=53 DPT=34795 LEN=89 <0.4> 2016-02-13 21:01:01 Telcontar kernel - - - [1109974.942422] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=168 TOS=0x10 PREC=0x00 TTL=64 ID=62557 DF PROTO=TCP SPT=22 DPT=35744 WINDOW=660 RES=0x00 ACK PSH URGP=0 OPT (0101080A258D7DEF42244330) <0.4> 2016-02-13 21:01:01 Telcontar kernel - - - [1109974.957405] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=152 TOS=0x10 PREC=0x00 TTL=64 ID=62558 DF PROTO=TCP SPT=22 DPT=35744 WINDOW=660 RES=0x00 ACK PSH URGP=0 OPT (0101080A258D7DF342244BBF) <0.4> 2016-02-13 21:01:02 Telcontar kernel - - - [1109975.889553] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=91 TOS=0x00 PREC=0x00 TTL=64 ID=47192 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK PSH URGP=0 OPT (0101080A00293F374224437E) <0.4> 2016-02-13 21:01:02 Telcontar kernel - - - [1109975.891009] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47193 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK URGP=0 OPT (0101080A00293F3742244F73) <0.4> 2016-02-13 21:01:04 Telcontar kernel - - - [1109978.694724] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=21 DPT=45873 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A0029404F42245A6601030300) <0.4> 2016-02-13 21:01:04 Telcontar kernel - - - [1109978.746814] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=5135 DF PROTO=TCP SPT=21 DPT=45873 WINDOW=5792 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029405442245A67) <0.4> 2016-02-13 21:01:05 Telcontar kernel - - - [1109978.952868] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=91 TOS=0x00 PREC=0x00 TTL=64 ID=47194 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029406942244F73) <0.4> 2016-02-13 21:01:05 Telcontar kernel - - - [1109978.954277] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47195 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK URGP=0 OPT (0101080A0029406942245B6A) <0.4> 2016-02-13 21:01:05 Telcontar kernel - - - [1109979.237673] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=296 TOS=0x10 PREC=0x00 TTL=64 ID=62559 DF PROTO=TCP SPT=22 DPT=35744 WINDOW=660 RES=0x00 ACK PSH URGP=0 OPT (0101080A258D822142244BCE) <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.109873] SFW2-INext-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.1.14 DST=224.0.0.251 LEN=71 TOS=0x00 PREC=0x00 TTL=255 ID=19143 DF PROTO=UDP SPT=5353 DPT=5353 LEN=51 <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.109977] SFW2-INext-ACC-UDP IN=eth0 OUT= MAC= SRC=192.168.1.14 DST=224.0.0.251 LEN=95 TOS=0x00 PREC=0x00 TTL=255 ID=19144 DF PROTO=UDP SPT=5353 DPT=5353 LEN=75 <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110335] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=225 TOS=0x00 PREC=0xC0 TTL=64 ID=21476 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=197 TOS=0x00 PREC=0x00 TTL=64 ID=3669 PROTO=UDP SPT=6666 DPT=6666 LEN=177 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110374] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=225 TOS=0x00 PREC=0xC0 TTL=64 ID=21476 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=197 TOS=0x00 PREC=0x00 TTL=64 ID=3669 PROTO=UDP SPT=6666 DPT=6666 LEN=177 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110393] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=225 TOS=0x00 PREC=0xC0 TTL=64 ID=21477 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=197 TOS=0x00 PREC=0x00 TTL=64 ID=3671 PROTO=UDP SPT=6666 DPT=6666 LEN=177 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110407] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=225 TOS=0x00 PREC=0xC0 TTL=64 ID=21477 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=197 TOS=0x00 PREC=0x00 TTL=64 ID=3671 PROTO=UDP SPT=6666 DPT=6666 LEN=177 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110788] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=21478 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3673 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110815] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=21478 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3673 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110828] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=372 TOS=0x00 PREC=0xC0 TTL=64 ID=21479 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=3675 PROTO=UDP SPT=6666 DPT=6666 LEN=324 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110838] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=372 TOS=0x00 PREC=0xC0 TTL=64 ID=21479 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=3675 PROTO=UDP SPT=6666 DPT=6666 LEN=324 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110851] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=21480 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3677 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110862] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=21480 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3677 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110875] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=372 TOS=0x00 PREC=0xC0 TTL=64 ID=21481 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=3679 PROTO=UDP SPT=6666 DPT=6666 LEN=324 ] <0.4> 2016-02-13 21:01:07 Telcontar kernel - - - [1109981.110885] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=372 TOS=0x00 PREC=0xC0 TTL=64 ID=21481 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=3679 PROTO=UDP SPT=6666 DPT=6666 LEN=324 ] <0.4> 2016-02-13 21:01:08 Telcontar kernel - - - [1109982.014818] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=91 TOS=0x00 PREC=0x00 TTL=64 ID=47196 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029419B42245B6A) <0.4> 2016-02-13 21:01:08 Telcontar kernel - - - [1109982.016213] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47197 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK URGP=0 OPT (0101080A0029419B42246760) <0.4> 2016-02-13 21:01:08 Telcontar kernel - - - [1109982.526824] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=91 TOS=0x00 PREC=0x00 TTL=64 ID=47198 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK PSH URGP=0 OPT (0101080A002941CE42246760) <0.4> 2016-02-13 21:01:08 Telcontar kernel - - - [1109982.527299] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21482 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3701 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:08 Telcontar kernel - - - [1109982.527320] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21482 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3701 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:08 Telcontar kernel - - - [1109982.528359] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47199 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK URGP=0 OPT (0101080A002941CE42246960) <0.4> 2016-02-13 21:01:09 Telcontar kernel - - - [1109983.747804] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=21 DPT=45876 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A0029424842246E2401030300) <0.4> 2016-02-13 21:01:09 Telcontar kernel - - - [1109983.748319] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=333 TOS=0x00 PREC=0xC0 TTL=64 ID=21483 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=3733 PROTO=UDP SPT=6666 DPT=6666 LEN=285 ] <0.4> 2016-02-13 21:01:09 Telcontar kernel - - - [1109983.748353] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=333 TOS=0x00 PREC=0xC0 TTL=64 ID=21483 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=3733 PROTO=UDP SPT=6666 DPT=6666 LEN=285 ] <0.4> 2016-02-13 21:01:09 Telcontar kernel - - - [1109983.788714] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=5283 DF PROTO=TCP SPT=21 DPT=45876 WINDOW=5792 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029424C42246E24) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109983.996074] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A0029426142246F1C01030300) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109983.997196] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47450 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A0029426142246F1D) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.155897] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=322 TOS=0x00 PREC=0xC0 TTL=64 ID=21484 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=3795 PROTO=UDP SPT=6666 DPT=6666 LEN=274 ] <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.155931] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=322 TOS=0x00 PREC=0xC0 TTL=64 ID=21484 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=3795 PROTO=UDP SPT=6666 DPT=6666 LEN=274 ] <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.286306] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4080 DPT=42574 WINDOW=28960 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A258D870F4224703E01030306) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.286790] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=43602 DF PROTO=TCP SPT=4080 DPT=42574 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D87104224703F) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.298920] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=193 TOS=0x00 PREC=0x00 TTL=64 ID=43603 DF PROTO=TCP SPT=4080 DPT=42574 WINDOW=470 RES=0x00 ACK PSH URGP=0 OPT (0101080A258D87134224703F) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.298953] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=43604 DF PROTO=TCP SPT=4080 DPT=42574 WINDOW=470 RES=0x00 ACK PSH URGP=0 OPT (0101080A258D87134224703F) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.298972] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=43605 DF PROTO=TCP SPT=4080 DPT=42574 WINDOW=470 RES=0x00 ACK FIN URGP=0 OPT (0101080A258D87134224703F) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.299524] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=43606 DF PROTO=TCP SPT=4080 DPT=42574 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D87134224704C) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.326570] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4080 DPT=42575 WINDOW=28960 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A258D87194224706701030306) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.326620] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=4080 DPT=42576 WINDOW=28960 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A258D871A4224706701030306) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.327076] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=53721 DF PROTO=TCP SPT=4080 DPT=42575 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D871A42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.327106] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=55648 DF PROTO=TCP SPT=4080 DPT=42576 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D871A42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.340410] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=174 TOS=0x00 PREC=0x00 TTL=64 ID=53722 DF PROTO=TCP SPT=4080 DPT=42575 WINDOW=470 RES=0x00 ACK PSH URGP=0 OPT (0101080A258D871D42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.340438] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=53723 DF PROTO=TCP SPT=4080 DPT=42575 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D871D42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.340653] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=2948 TOS=0x00 PREC=0x00 TTL=64 ID=53724 DF PROTO=TCP SPT=4080 DPT=42575 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D871D42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.340914] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=2742 TOS=0x00 PREC=0x00 TTL=64 ID=53726 DF PROTO=TCP SPT=4080 DPT=42575 WINDOW=470 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A258D871D42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.341392] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21485 DF PROTO=TCP SPT=4080 DPT=42575 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D871D42247076) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.345817] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=181 TOS=0x00 PREC=0x00 TTL=64 ID=55649 DF PROTO=TCP SPT=4080 DPT=42576 WINDOW=470 RES=0x00 ACK PSH URGP=0 OPT (0101080A258D871E42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.345876] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=55650 DF PROTO=TCP SPT=4080 DPT=42576 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D871E42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.346103] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=2948 TOS=0x00 PREC=0x00 TTL=64 ID=55651 DF PROTO=TCP SPT=4080 DPT=42576 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D871E42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.346363] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=3303 TOS=0x00 PREC=0x00 TTL=64 ID=55653 DF PROTO=TCP SPT=4080 DPT=42576 WINDOW=470 RES=0x00 ACK PSH FIN URGP=0 OPT (0101080A258D871E42247067) <0.4> 2016-02-13 21:01:10 Telcontar kernel - - - [1109984.347037] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=21486 DF PROTO=TCP SPT=4080 DPT=42576 WINDOW=470 RES=0x00 ACK URGP=0 OPT (0101080A258D871F4224707B) <0.4> 2016-02-13 21:01:11 Telcontar kernel - - - [1109985.589255] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21487 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3857 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:11 Telcontar kernel - - - [1109985.589276] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21487 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3857 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:11 Telcontar kernel - - - [1109985.590192] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=47201 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK URGP=0 OPT (0101080A0029430042247556) <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.036346] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=47467 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029432C422476CB) <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.110230] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=89 TOS=0x00 PREC=0x00 TTL=64 ID=47468 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029433442247715) <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.110696] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21488 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3933 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.110736] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21488 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3933 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.115467] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=483 TOS=0x00 PREC=0x00 TTL=64 ID=47469 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A002943344224775F) <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.116332] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=47470 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029433442247764) <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.244508] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=1076 TOS=0x00 PREC=0x00 TTL=64 ID=47471 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029434142247765) <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.245443] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=1076 TOS=0x00 PREC=0x00 TTL=64 ID=47472 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A00294341422477E5) <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.246129] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=301 TOS=0x00 PREC=0x00 TTL=64 ID=47473 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A00294341422477E6) <0.4> 2016-02-13 21:01:12 Telcontar kernel - - - [1109986.247318] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=47474 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A00294341422477E7) <0.4> 2016-02-13 21:01:13 Telcontar kernel - - - [1109986.949751] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=47538 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A0029438742247AA5) <0.4> 2016-02-13 21:01:13 Telcontar kernel - - - [1109987.130372] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=322 TOS=0x00 PREC=0xC0 TTL=64 ID=21489 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=4095 PROTO=UDP SPT=6666 DPT=6666 LEN=274 ] <0.4> 2016-02-13 21:01:13 Telcontar kernel - - - [1109987.163218] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=322 TOS=0x00 PREC=0xC0 TTL=64 ID=21489 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=4095 PROTO=UDP SPT=6666 DPT=6666 LEN=274 ] <0.4> 2016-02-13 21:01:14 Telcontar kernel - - - [1109988.769471] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=01:00:5e:00:00:01:f8:8e:85:64:78:f2:08:00 SRC=192.168.1.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF OPT (94040000) PROTO=2 <0.4> 2016-02-13 21:01:14 Telcontar kernel - - - [1109988.804317] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=60804 DF PROTO=TCP SPT=80 DPT=35268 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A0029440842247FAB) <0.4> 2016-02-13 21:01:15 Telcontar kernel - - - [1109989.362122] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=323 TOS=0x00 PREC=0xC0 TTL=64 ID=21490 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=4143 PROTO=UDP SPT=6666 DPT=6666 LEN=275 ] <0.4> 2016-02-13 21:01:15 Telcontar kernel - - - [1109989.381429] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=323 TOS=0x00 PREC=0xC0 TTL=64 ID=21490 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=4143 PROTO=UDP SPT=6666 DPT=6666 LEN=275 ] <0.4> 2016-02-13 21:01:15 Telcontar kernel - - - [1109989.381429] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=333 TOS=0x00 PREC=0xC0 TTL=64 ID=21491 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=4145 PROTO=UDP SPT=6666 DPT=6666 LEN=285 ] <0.4> 2016-02-13 21:01:15 Telcontar kernel - - - [1109989.381429] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=333 TOS=0x00 PREC=0xC0 TTL=64 ID=21491 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=4145 PROTO=UDP SPT=6666 DPT=6666 LEN=285 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109990.150667] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=317 TOS=0x00 PREC=0xC0 TTL=64 ID=21492 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=289 TOS=0x00 PREC=0x00 TTL=64 ID=4265 PROTO=UDP SPT=6666 DPT=6666 LEN=269 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109990.150688] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=317 TOS=0x00 PREC=0xC0 TTL=64 ID=21492 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=289 TOS=0x00 PREC=0x00 TTL=64 ID=4265 PROTO=UDP SPT=6666 DPT=6666 LEN=269 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109991.146180] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=322 TOS=0x00 PREC=0xC0 TTL=64 ID=21493 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=4327 PROTO=UDP SPT=6666 DPT=6666 LEN=274 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109991.146202] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=322 TOS=0x00 PREC=0xC0 TTL=64 ID=21493 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=4327 PROTO=UDP SPT=6666 DPT=6666 LEN=274 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.137033] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21494 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=4393 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.137051] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21494 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=4393 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.215382] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=186 TOS=0x00 PREC=0x00 TTL=64 ID=47795 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029459542248EAC) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.228608] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=279 TOS=0x00 PREC=0x00 TTL=64 ID=47796 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029459642248F38) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.229347] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=53 TOS=0x00 PREC=0x00 TTL=64 ID=47797 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029459742248F45) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.285422] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=1076 TOS=0x00 PREC=0x00 TTL=64 ID=47798 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029459C42248F46) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.289482] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=1076 TOS=0x00 PREC=0x00 TTL=64 ID=47799 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029459C42248F7E) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.289498] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=47800 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A0029459C42248F7E) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.290091] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=47801 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A0029459D42248F7E) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.319881] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=228 TOS=0x00 PREC=0x00 TTL=64 ID=47802 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A0029459D42248F82) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.319919] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=10188 TOS=0x00 PREC=0x00 TTL=64 ID=47803 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A0029459D42248F82) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.320858] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=2948 TOS=0x00 PREC=0x00 TTL=64 ID=47810 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A002945A042248FA0) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.350584] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=11636 TOS=0x00 PREC=0x00 TTL=64 ID=47812 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A002945A042248FA0) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.350599] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=1036 TOS=0x00 PREC=0x00 TTL=64 ID=47820 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A002945A042248FA1) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.350620] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=2948 TOS=0x00 PREC=0x00 TTL=64 ID=47821 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A002945A042248FA1) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.351825] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=2948 TOS=0x00 PREC=0x00 TTL=64 ID=47823 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK URGP=0 OPT (0101080A002945A342248FBF) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.381057] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=7263 TOS=0x00 PREC=0x00 TTL=64 ID=47825 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A002945A342248FBF) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109992.442050] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=91 TOS=0x00 PREC=0x00 TTL=64 ID=47209 DF PROTO=TCP SPT=1441 DPT=139 WINDOW=5840 RES=0x00 ACK PSH URGP=0 OPT (0101080A002945AB42248E11) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109993.116517] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:01:02:03:04:05:08:00 SRC=192.168.1.2 DST=192.168.1.14 LEN=8337 TOS=0x00 PREC=0x00 TTL=64 ID=47961 DF PROTO=TCP SPT=80 DPT=35261 WINDOW=6432 RES=0x00 ACK PSH URGP=0 OPT (0101080A002945ED4224929F) <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109993.116895] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=333 TOS=0x00 PREC=0xC0 TTL=64 ID=21495 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=4457 PROTO=UDP SPT=6666 DPT=6666 LEN=285 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109993.116915] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=333 TOS=0x00 PREC=0xC0 TTL=64 ID=21495 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=4457 PROTO=UDP SPT=6666 DPT=6666 LEN=285 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109994.121211] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=319 TOS=0x00 PREC=0xC0 TTL=64 ID=21496 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=4523 PROTO=UDP SPT=6666 DPT=6666 LEN=271 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109994.121229] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=319 TOS=0x00 PREC=0xC0 TTL=64 ID=21496 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=4523 PROTO=UDP SPT=6666 DPT=6666 LEN=271 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109995.114710] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21497 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=4587 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109995.114728] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=321 TOS=0x00 PREC=0xC0 TTL=64 ID=21497 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=4587 PROTO=UDP SPT=6666 DPT=6666 LEN=273 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109996.131229] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=323 TOS=0x00 PREC=0xC0 TTL=64 ID=21498 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=4651 PROTO=UDP SPT=6666 DPT=6666 LEN=275 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109996.131248] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=323 TOS=0x00 PREC=0xC0 TTL=64 ID=21498 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=4651 PROTO=UDP SPT=6666 DPT=6666 LEN=275 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109997.108133] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=284 TOS=0x00 PREC=0xC0 TTL=64 ID=21499 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=256 TOS=0x00 PREC=0x00 TTL=64 ID=4713 PROTO=UDP SPT=6666 DPT=6666 LEN=236 ] <0.4> 2016-02-13 21:01:28 Telcontar kernel - - - [1109997.108151] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=284 TOS=0x00 PREC=0xC0 TTL=64 ID=21499 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=256 TOS=0x00 PREC=0x00 TTL=64 ID=4713 PROTO=UDP SPT=6666 DPT=6666 LEN=236 ] Now for the receiver machine entries. AmonLanc:~ # zgrep "192.168.1" /var/log/firewall-20160213.xz | grep "192.168.1.14" | grep "192.168.1.15" | less <0.4> 2016-02-13T21:01:01.105714+01:00 AmonLanc kernel - - - [2520419.232118] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=15290 DF PROTO=TCP SPT=35744 DPT=22 WINDOW=353 RES=0x00 ACK URGP=0 OPT (0101080A42244BBF258D7DEF) <0.4> 2016-02-13T21:01:01.116469+01:00 AmonLanc kernel - - - [2520419.247091] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=15291 DF PROTO=TCP SPT=35744 DPT=22 WINDOW=353 RES=0x00 ACK URGP=0 OPT (0101080A42244BCE258D7DF3) <0.4> 2016-02-13T21:01:05.397371+01:00 AmonLanc kernel - - - [2520423.527376] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=15292 DF PROTO=TCP SPT=35744 DPT=22 WINDOW=353 RES=0x00 ACK URGP=0 OPT (0101080A42245C86258D8221) <0.4> 2016-02-13T21:01:07.269142+01:00 AmonLanc kernel - - - [2520425.399594] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=197 TOS=0x00 PREC=0x00 TTL=64 ID=3668 PROTO=UDP SPT=6665 DPT=6666 LEN=177 <0.4> 2016-02-13T21:01:07.269171+01:00 AmonLanc kernel - - - [2520425.399641] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=197 TOS=0x00 PREC=0x00 TTL=64 ID=3669 PROTO=UDP SPT=6666 DPT=6666 LEN=177 <0.4> 2016-02-13T21:01:07.269177+01:00 AmonLanc kernel - - - [2520425.399726] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=197 TOS=0x00 PREC=0x00 TTL=64 ID=3670 PROTO=UDP SPT=6665 DPT=6666 LEN=177 <0.4> 2016-02-13T21:01:07.269180+01:00 AmonLanc kernel - - - [2520425.399744] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=197 TOS=0x00 PREC=0x00 TTL=64 ID=3671 PROTO=UDP SPT=6666 DPT=6666 LEN=177 <0.4> 2016-02-13T21:01:07.360140+01:00 AmonLanc kernel - - - [2520425.400108] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3672 PROTO=UDP SPT=6665 DPT=6666 LEN=323 Many more almost identical packets skipped from mail. <0.4> 2016-02-13T21:01:10.317417+01:00 AmonLanc kernel - - - [2520428.446284] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3811 PROTO=UDP SPT=6666 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.441288+01:00 AmonLanc kernel - - - [2520428.571871] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=289 TOS=0x00 PREC=0x00 TTL=64 ID=3812 PROTO=UDP SPT=6665 DPT=6666 LEN=269 <0.4> 2016-02-13T21:01:10.441316+01:00 AmonLanc kernel - - - [2520428.571911] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=289 TOS=0x00 PREC=0x00 TTL=64 ID=3813 PROTO=UDP SPT=6666 DPT=6666 LEN=269 <0.4> 2016-02-13T21:01:10.445027+01:00 AmonLanc kernel - - - [2520428.575592] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=531 DF PROTO=TCP SPT=42574 DPT=4080 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4224703E0000000001030307) <0.4> 2016-02-13T21:01:10.445675+01:00 AmonLanc kernel - - - [2520428.576002] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=532 DF PROTO=TCP SPT=42574 DPT=4080 WINDOW=229 RES=0x00 ACK URGP=0 OPT (0101080A4224703F258D870F) <0.4> 2016-02-13T21:01:10.445693+01:00 AmonLanc kernel - - - [2520428.576087] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=309 TOS=0x00 PREC=0x00 TTL=64 ID=3814 PROTO=UDP SPT=6665 DPT=6666 LEN=289 <0.4> 2016-02-13T21:01:10.445697+01:00 AmonLanc kernel - - - [2520428.576111] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=309 TOS=0x00 PREC=0x00 TTL=64 ID=3815 PROTO=UDP SPT=6666 DPT=6666 LEN=289 <0.4> 2016-02-13T21:01:10.445700+01:00 AmonLanc kernel - - - [2520428.576138] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=434 TOS=0x00 PREC=0x00 TTL=64 ID=533 DF PROTO=TCP SPT=42574 DPT=4080 WINDOW=229 RES=0x00 ACK PSH URGP=0 OPT (0101080A4224703F258D870F) <0.4> 2016-02-13T21:01:10.449372+01:00 AmonLanc kernel - - - [2520428.576496] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3816 PROTO=UDP SPT=6665 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.449391+01:00 AmonLanc kernel - - - [2520428.576522] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3817 PROTO=UDP SPT=6666 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.461423+01:00 AmonLanc kernel - - - [2520428.588600] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=534 DF PROTO=TCP SPT=42574 DPT=4080 WINDOW=237 RES=0x00 ACK URGP=0 OPT (0101080A4224704B258D8713) <0.4> 2016-02-13T21:01:10.461450+01:00 AmonLanc kernel - - - [2520428.588634] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=535 DF PROTO=TCP SPT=42574 DPT=4080 WINDOW=260 RES=0x00 ACK URGP=0 OPT (0101080A4224704B258D8713) <0.4> 2016-02-13T21:01:10.461454+01:00 AmonLanc kernel - - - [2520428.588666] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=3818 PROTO=UDP SPT=6665 DPT=6666 LEN=276 <0.4> 2016-02-13T21:01:10.461457+01:00 AmonLanc kernel - - - [2520428.588702] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=3819 PROTO=UDP SPT=6666 DPT=6666 LEN=276 <0.4> 2016-02-13T21:01:10.461460+01:00 AmonLanc kernel - - - [2520428.588731] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=297 TOS=0x00 PREC=0x00 TTL=64 ID=3820 PROTO=UDP SPT=6665 DPT=6666 LEN=277 <0.4> 2016-02-13T21:01:10.461462+01:00 AmonLanc kernel - - - [2520428.588747] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=297 TOS=0x00 PREC=0x00 TTL=64 ID=3821 PROTO=UDP SPT=6666 DPT=6666 LEN=277 <0.4> 2016-02-13T21:01:10.461465+01:00 AmonLanc kernel - - - [2520428.588765] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=3822 PROTO=UDP SPT=6665 DPT=6666 LEN=275 <0.4> 2016-02-13T21:01:10.461468+01:00 AmonLanc kernel - - - [2520428.588780] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=3823 PROTO=UDP SPT=6666 DPT=6666 LEN=275 <0.4> 2016-02-13T21:01:10.461470+01:00 AmonLanc kernel - - - [2520428.588879] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=536 DF PROTO=TCP SPT=42574 DPT=4080 WINDOW=260 RES=0x00 ACK FIN URGP=0 OPT (0101080A4224704C258D8713) <0.4> 2016-02-13T21:01:10.461473+01:00 AmonLanc kernel - - - [2520428.589225] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3824 PROTO=UDP SPT=6665 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.461476+01:00 AmonLanc kernel - - - [2520428.589251] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3825 PROTO=UDP SPT=6666 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.485368+01:00 AmonLanc kernel - - - [2520428.615887] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58396 DF PROTO=TCP SPT=42575 DPT=4080 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A422470670000000001030307) <0.4> 2016-02-13T21:01:10.489387+01:00 AmonLanc kernel - - - [2520428.616150] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=50170 DF PROTO=TCP SPT=42576 DPT=4080 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A422470670000000001030307) <0.4> 2016-02-13T21:01:10.489415+01:00 AmonLanc kernel - - - [2520428.616252] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=58397 DF PROTO=TCP SPT=42575 DPT=4080 WINDOW=229 RES=0x00 ACK URGP=0 OPT (0101080A42247067258D8719) <0.4> 2016-02-13T21:01:10.489418+01:00 AmonLanc kernel - - - [2520428.616297] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50171 DF PROTO=TCP SPT=42576 DPT=4080 WINDOW=229 RES=0x00 ACK URGP=0 OPT (0101080A42247067258D871A) <0.4> 2016-02-13T21:01:10.489421+01:00 AmonLanc kernel - - - [2520428.616324] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=309 TOS=0x00 PREC=0x00 TTL=64 ID=3826 PROTO=UDP SPT=6665 DPT=6666 LEN=289 <0.4> 2016-02-13T21:01:10.489424+01:00 AmonLanc kernel - - - [2520428.616352] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=309 TOS=0x00 PREC=0x00 TTL=64 ID=3827 PROTO=UDP SPT=6666 DPT=6666 LEN=289 <0.4> 2016-02-13T21:01:10.489426+01:00 AmonLanc kernel - - - [2520428.616377] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=309 TOS=0x00 PREC=0x00 TTL=64 ID=3828 PROTO=UDP SPT=6665 DPT=6666 LEN=289 <0.4> 2016-02-13T21:01:10.489429+01:00 AmonLanc kernel - - - [2520428.616393] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=309 TOS=0x00 PREC=0x00 TTL=64 ID=3829 PROTO=UDP SPT=6666 DPT=6666 LEN=289 <0.4> 2016-02-13T21:01:10.489432+01:00 AmonLanc kernel - - - [2520428.616413] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=434 TOS=0x00 PREC=0x00 TTL=64 ID=58398 DF PROTO=TCP SPT=42575 DPT=4080 WINDOW=229 RES=0x00 ACK PSH URGP=0 OPT (0101080A42247067258D8719) <0.4> 2016-02-13T21:01:10.489435+01:00 AmonLanc kernel - - - [2520428.616457] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=418 TOS=0x00 PREC=0x00 TTL=64 ID=50172 DF PROTO=TCP SPT=42576 DPT=4080 WINDOW=229 RES=0x00 ACK PSH URGP=0 OPT (0101080A42247067258D871A) <0.4> 2016-02-13T21:01:10.489438+01:00 AmonLanc kernel - - - [2520428.616793] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3830 PROTO=UDP SPT=6665 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.489440+01:00 AmonLanc kernel - - - [2520428.616815] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3831 PROTO=UDP SPT=6666 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.489443+01:00 AmonLanc kernel - - - [2520428.616838] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3832 PROTO=UDP SPT=6665 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.489446+01:00 AmonLanc kernel - - - [2520428.616854] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3833 PROTO=UDP SPT=6666 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.501420+01:00 AmonLanc kernel - - - [2520428.630090] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=58399 DF PROTO=TCP SPT=42575 DPT=4080 WINDOW=229 RES=0x00 ACK URGP=0 OPT (0101080A42247075258D871D) <0.4> 2016-02-13T21:01:10.501449+01:00 AmonLanc kernel - - - [2520428.630125] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=58400 DF PROTO=TCP SPT=42575 DPT=4080 WINDOW=251 RES=0x00 ACK URGP=0 OPT (0101080A42247075258D871D) <0.4> 2016-02-13T21:01:10.501452+01:00 AmonLanc kernel - - - [2520428.630158] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=3834 PROTO=UDP SPT=6665 DPT=6666 LEN=276 <0.4> 2016-02-13T21:01:10.501455+01:00 AmonLanc kernel - - - [2520428.630186] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=3835 PROTO=UDP SPT=6666 DPT=6666 LEN=276 <0.4> 2016-02-13T21:01:10.501458+01:00 AmonLanc kernel - - - [2520428.630214] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3836 PROTO=UDP SPT=6665 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.501460+01:00 AmonLanc kernel - - - [2520428.630230] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3837 PROTO=UDP SPT=6666 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.501463+01:00 AmonLanc kernel - - - [2520428.630292] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=58401 DF PROTO=TCP SPT=42575 DPT=4080 WINDOW=296 RES=0x00 ACK URGP=0 OPT (0101080A42247075258D871D) <0.4> 2016-02-13T21:01:10.501466+01:00 AmonLanc kernel - - - [2520428.630337] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3838 PROTO=UDP SPT=6665 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.501468+01:00 AmonLanc kernel - - - [2520428.630353] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3839 PROTO=UDP SPT=6666 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.501471+01:00 AmonLanc kernel - - - [2520428.630594] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=58402 DF PROTO=TCP SPT=42575 DPT=4080 WINDOW=339 RES=0x00 ACK URGP=0 OPT (0101080A42247075258D871D) <0.4> 2016-02-13T21:01:10.501474+01:00 AmonLanc kernel - - - [2520428.630634] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=301 TOS=0x00 PREC=0x00 TTL=64 ID=3840 PROTO=UDP SPT=6665 DPT=6666 LEN=281 <0.4> 2016-02-13T21:01:10.501476+01:00 AmonLanc kernel - - - [2520428.630655] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=301 TOS=0x00 PREC=0x00 TTL=64 ID=3841 PROTO=UDP SPT=6666 DPT=6666 LEN=281 <0.4> 2016-02-13T21:01:10.501480+01:00 AmonLanc kernel - - - [2520428.630727] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=58403 DF PROTO=TCP SPT=42575 DPT=4080 WINDOW=339 RES=0x00 ACK FIN URGP=0 OPT (0101080A42247076258D871D) <0.4> 2016-02-13T21:01:10.501483+01:00 AmonLanc kernel - - - [2520428.631094] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3842 PROTO=UDP SPT=6665 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.501485+01:00 AmonLanc kernel - - - [2520428.631119] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3843 PROTO=UDP SPT=6666 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.505510+01:00 AmonLanc kernel - - - [2520428.635519] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50173 DF PROTO=TCP SPT=42576 DPT=4080 WINDOW=237 RES=0x00 ACK URGP=0 OPT (0101080A4224707A258D871E) <0.4> 2016-02-13T21:01:10.505538+01:00 AmonLanc kernel - - - [2520428.635554] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50174 DF PROTO=TCP SPT=42576 DPT=4080 WINDOW=260 RES=0x00 ACK URGP=0 OPT (0101080A4224707A258D871E) <0.4> 2016-02-13T21:01:10.505541+01:00 AmonLanc kernel - - - [2520428.635587] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=3844 PROTO=UDP SPT=6665 DPT=6666 LEN=276 <0.4> 2016-02-13T21:01:10.505544+01:00 AmonLanc kernel - - - [2520428.635616] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=296 TOS=0x00 PREC=0x00 TTL=64 ID=3845 PROTO=UDP SPT=6666 DPT=6666 LEN=276 <0.4> 2016-02-13T21:01:10.505546+01:00 AmonLanc kernel - - - [2520428.635645] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3846 PROTO=UDP SPT=6665 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.505549+01:00 AmonLanc kernel - - - [2520428.635661] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3847 PROTO=UDP SPT=6666 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.505552+01:00 AmonLanc kernel - - - [2520428.635755] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50175 DF PROTO=TCP SPT=42576 DPT=4080 WINDOW=305 RES=0x00 ACK URGP=0 OPT (0101080A4224707B258D871E) <0.4> 2016-02-13T21:01:10.505555+01:00 AmonLanc kernel - - - [2520428.635775] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3848 PROTO=UDP SPT=6665 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.505557+01:00 AmonLanc kernel - - - [2520428.635814] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=3849 PROTO=UDP SPT=6666 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:10.505560+01:00 AmonLanc kernel - - - [2520428.636065] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50176 DF PROTO=TCP SPT=42576 DPT=4080 WINDOW=345 RES=0x00 ACK URGP=0 OPT (0101080A4224707B258D871E) <0.4> 2016-02-13T21:01:10.505563+01:00 AmonLanc kernel - - - [2520428.636107] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=301 TOS=0x00 PREC=0x00 TTL=64 ID=3850 PROTO=UDP SPT=6665 DPT=6666 LEN=281 <0.4> 2016-02-13T21:01:10.505566+01:00 AmonLanc kernel - - - [2520428.636127] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=301 TOS=0x00 PREC=0x00 TTL=64 ID=3851 PROTO=UDP SPT=6666 DPT=6666 LEN=281 <0.4> 2016-02-13T21:01:10.509367+01:00 AmonLanc kernel - - - [2520428.636411] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=50177 DF PROTO=TCP SPT=42576 DPT=4080 WINDOW=353 RES=0x00 ACK FIN URGP=0 OPT (0101080A4224707B258D871E) <0.4> 2016-02-13T21:01:10.509396+01:00 AmonLanc kernel - - - [2520428.636737] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3852 PROTO=UDP SPT=6665 DPT=6666 LEN=271 <0.4> 2016-02-13T21:01:10.509400+01:00 AmonLanc kernel - - - [2520428.636759] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=291 TOS=0x00 PREC=0x00 TTL=64 ID=3853 PROTO=UDP SPT=6666 DPT=6666 LEN=271 skipping... <0.4> 2016-02-13T21:01:25.254277+01:00 AmonLanc kernel - - - [2520443.384772] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=4840 PROTO=UDP SPT=6665 DPT=6666 LEN=324 <0.4> 2016-02-13T21:01:25.254300+01:00 AmonLanc kernel - - - [2520443.384809] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=4841 PROTO=UDP SPT=6666 DPT=6666 LEN=324 <0.4> 2016-02-13T21:01:25.284625+01:00 AmonLanc kernel - - - [2520443.415154] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=4842 PROTO=UDP SPT=6665 DPT=6666 LEN=285 <0.4> 2016-02-13T21:01:25.284654+01:00 AmonLanc kernel - - - [2520443.415195] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=305 TOS=0x00 PREC=0x00 TTL=64 ID=4843 PROTO=UDP SPT=6666 DPT=6666 LEN=285 <0.4> 2016-02-13T21:01:25.293423+01:00 AmonLanc kernel - - - [2520443.423960] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=33049 DF PROTO=TCP SPT=42608 DPT=4080 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4224AA3F0000000001030307) <0.4> 2016-02-13T21:01:25.317460+01:00 AmonLanc kernel - - - [2520443.447704] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=4844 PROTO=UDP SPT=6665 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:25.317487+01:00 AmonLanc kernel - - - [2520443.447738] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=4845 PROTO=UDP SPT=6666 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:25.317491+01:00 AmonLanc kernel - - - [2520443.447779] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=33050 DF PROTO=TCP SPT=42608 DPT=4080 WINDOW=229 RES=0x00 ACK URGP=0 OPT (0101080A4224AA57258D958F) <0.4> 2016-02-13T21:01:25.317494+01:00 AmonLanc kernel - - - [2520443.447854] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=434 TOS=0x00 PREC=0x00 TTL=64 ID=33051 DF PROTO=TCP SPT=42608 DPT=4080 WINDOW=229 RES=0x00 ACK PSH URGP=0 OPT (0101080A4224AA57258D958F) <0.4> 2016-02-13T21:01:25.348540+01:00 AmonLanc kernel - - - [2520443.479022] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=4846 PROTO=UDP SPT=6665 DPT=6666 LEN=323 <0.4> 2016-02-13T21:01:25.348568+01:00 AmonLanc kernel - - - [2520443.479063] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=4847 PROTO=UDP SPT=6666 DPT=6666 LEN=323 <0.4> 2016-02-13T21:01:25.348639+01:00 AmonLanc kernel - - - [2520443.479101] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=33052 DF PROTO=TCP SPT=42608 DPT=4080 WINDOW=237 RES=0x00 ACK URGP=0 OPT (0101080A4224AA76258D9598) <0.4> 2016-02-13T21:01:25.348642+01:00 AmonLanc kernel - - - [2520443.479133] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=33053 DF PROTO=TCP SPT=42608 DPT=4080 WINDOW=260 RES=0x00 ACK URGP=0 OPT (0101080A4224AA76258D9598) <0.4> 2016-02-13T21:01:25.348671+01:00 AmonLanc kernel - - - [2520443.479286] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=33054 DF PROTO=TCP SPT=42608 DPT=4080 WINDOW=260 RES=0x00 ACK FIN URGP=0 OPT (0101080A4224AA76258D9598) <0.4> 2016-02-13T21:01:25.369409+01:00 AmonLanc kernel - - - [2520443.499922] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41019 DF PROTO=TCP SPT=42609 DPT=4080 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4224AA8B0000000001030307) <0.4> 2016-02-13T21:01:25.369459+01:00 AmonLanc kernel - - - [2520443.500072] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48520 DF PROTO=TCP SPT=42610 DPT=4080 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4224AA8B0000000001030307) <0.4> 2016-02-13T21:01:25.382493+01:00 AmonLanc kernel - - - [2520443.512793] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=4848 PROTO=UDP SPT=6665 DPT=6666 LEN=324 <0.4> 2016-02-13T21:01:25.382521+01:00 AmonLanc kernel - - - [2520443.512829] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=4849 PROTO=UDP SPT=6666 DPT=6666 LEN=324 <0.4> 2016-02-13T21:01:25.382524+01:00 AmonLanc kernel - - - [2520443.512871] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=41020 DF PROTO=TCP SPT=42609 DPT=4080 WINDOW=229 RES=0x00 ACK URGP=0 OPT (0101080A4224AA98258D95A2) <0.4> 2016-02-13T21:01:25.382527+01:00 AmonLanc kernel - - - [2520443.512920] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48521 DF PROTO=TCP SPT=42610 DPT=4080 WINDOW=229 RES=0x00 ACK URGP=0 OPT (0101080A4224AA98258D95A3) <0.4> 2016-02-13T21:01:25.382530+01:00 AmonLanc kernel - - - [2520443.512945] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=434 TOS=0x00 PREC=0x00 TTL=64 ID=41021 DF PROTO=TCP SPT=42609 DPT=4080 WINDOW=229 RES=0x00 ACK PSH URGP=0 OPT (0101080A4224AA98258D95A2) <0.4> 2016-02-13T21:01:25.382532+01:00 AmonLanc kernel - - - [2520443.512985] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=418 TOS=0x00 PREC=0x00 TTL=64 ID=48522 DF PROTO=TCP SPT=42610 DPT=4080 WINDOW=229 RES=0x00 ACK PSH URGP=0 OPT (0101080A4224AA98258D95A3) <0.4> 2016-02-13T21:01:25.413566+01:00 AmonLanc kernel - - - [2520443.543766] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=4850 PROTO=UDP SPT=6665 DPT=6666 LEN=274 <0.4> 2016-02-13T21:01:25.413597+01:00 AmonLanc kernel - - - [2520443.543810] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=4851 PROTO=UDP SPT=6666 DPT=6666 LEN=274 <0.4> 2016-02-13T21:01:25.413600+01:00 AmonLanc kernel - - - [2520443.543851] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=41022 DF PROTO=TCP SPT=42609 DPT=4080 WINDOW=229 RES=0x00 ACK URGP=0 OPT (0101080A4224AAB7258D95A9) <0.4> 2016-02-13T21:01:25.413603+01:00 AmonLanc kernel - - - [2520443.543884] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=41023 DF PROTO=TCP SPT=42609 DPT=4080 WINDOW=326 RES=0x00 ACK URGP=0 OPT (0101080A4224AAB7258D95A9) <0.4> 2016-02-13T21:01:25.413606+01:00 AmonLanc kernel - - - [2520443.543921] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48523 DF PROTO=TCP SPT=42610 DPT=4080 WINDOW=237 RES=0x00 ACK URGP=0 OPT (0101080A4224AAB7258D95AB) <0.4> 2016-02-13T21:01:25.413608+01:00 AmonLanc kernel - - - [2520443.543941] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48524 DF PROTO=TCP SPT=42610 DPT=4080 WINDOW=319 RES=0x00 ACK URGP=0 OPT (0101080A4224AAB7258D95AB) <0.4> 2016-02-13T21:01:25.413611+01:00 AmonLanc kernel - - - [2520443.543966] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=41024 DF PROTO=TCP SPT=42609 DPT=4080 WINDOW=339 RES=0x00 ACK FIN URGP=0 OPT (0101080A4224AAB7258D95A9) <0.4> 2016-02-13T21:01:25.413614+01:00 AmonLanc kernel - - - [2520443.544168] SFW2-IN-ACC-EST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48525 DF PROTO=TCP SPT=42610 DPT=4080 WINDOW=353 RES=0x00 ACK FIN URGP=0 OPT (0101080A4224AAB7258D95AB) <0.4> 2016-02-13T21:01:25.449447+01:00 AmonLanc kernel - - - [2520443.580033] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=4852 PROTO=UDP SPT=6665 DPT=6666 LEN=274 <0.4> 2016-02-13T21:01:25.449476+01:00 AmonLanc kernel - - - [2520443.580073] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=294 TOS=0x00 PREC=0x00 TTL=64 ID=4853 PROTO=UDP SPT=6666 DPT=6666 LEN=274 <0.4> 2016-02-13T21:01:25.482145+01:00 AmonLanc kernel - - - [2520443.612735] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=4854 PROTO=UDP SPT=6665 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:25.482168+01:00 AmonLanc kernel - - - [2520443.612772] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=293 TOS=0x00 PREC=0x00 TTL=64 ID=4855 PROTO=UDP SPT=6666 DPT=6666 LEN=273 <0.4> 2016-02-13T21:01:46.577589+01:00 AmonLanc kernel - - - [2520464.708052] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=277 TOS=0x00 PREC=0x00 TTL=64 ID=5381 PROTO=UDP SPT=6666 DPT=6666 LEN=257 <0.4> 2016-02-13T21:01:46.628596+01:00 AmonLanc kernel - - - [2520464.759138] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=5382 PROTO=UDP SPT=6665 DPT=6666 LEN=323 <0.4> 2016-02-13T21:01:46.628624+01:00 AmonLanc kernel - - - [2520464.759180] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=5383 PROTO=UDP SPT=6666 DPT=6666 LEN=323 <0.4> 2016-02-13T21:01:46.628627+01:00 AmonLanc kernel - - - [2520464.759215] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=5384 PROTO=UDP SPT=6665 DPT=6666 LEN=324 <0.4> 2016-02-13T21:01:46.628630+01:00 AmonLanc kernel - - - [2520464.759233] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=5385 PROTO=UDP SPT=6666 DPT=6666 LEN=324 <0.4> 2016-02-13T21:01:47.189400+01:00 AmonLanc kernel - - - [2520465.317197] SFW2-IN-ACC-REL IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=104 TOS=0x00 PREC=0xC0 TTL=64 ID=36173 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.15 DST=192.168.1.14 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=21525 DF PROTO=UDP SPT=123 DPT=123 LEN=56 ] <0.4> 2016-02-13T21:01:47.189427+01:00 AmonLanc kernel - - - [2520465.317236] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=236 TOS=0x00 PREC=0x00 TTL=64 ID=5386 PROTO=UDP SPT=6665 DPT=6666 LEN=216 <0.4> 2016-02-13T21:01:47.189430+01:00 AmonLanc kernel - - - [2520465.317271] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=236 TOS=0x00 PREC=0x00 TTL=64 ID=5387 PROTO=UDP SPT=6666 DPT=6666 LEN=216 <0.4> 2016-02-13T21:01:51.191763+01:00 AmonLanc kernel - - - [2520469.322216] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=277 TOS=0x00 PREC=0x00 TTL=64 ID=5388 PROTO=UDP SPT=6665 DPT=6666 LEN=257 <0.4> 2016-02-13T21:01:51.191788+01:00 AmonLanc kernel - - - [2520469.322255] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=277 TOS=0x00 PREC=0x00 TTL=64 ID=5389 PROTO=UDP SPT=6666 DPT=6666 LEN=257 <0.4> 2016-02-13T21:01:51.251846+01:00 AmonLanc kernel - - - [2520469.381662] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=5390 PROTO=UDP SPT=6665 DPT=6666 LEN=323 <0.4> 2016-02-13T21:02:03.305249+01:00 AmonLanc kernel - - - [2520481.435844] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=5500 PROTO=UDP SPT=6665 DPT=6666 LEN=57 <0.4> 2016-02-13T21:02:03.305271+01:00 AmonLanc kernel - - - [2520481.435881] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=5501 PROTO=UDP SPT=6666 DPT=6666 LEN=57 <0.4> 2016-02-13T21:02:03.603818+01:00 AmonLanc kernel - - - [2520481.734365] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=285 TOS=0x00 PREC=0x00 TTL=64 ID=5502 PROTO=UDP SPT=6665 DPT=6666 LEN=265 <0.4> 2016-02-13T21:02:03.603848+01:00 AmonLanc kernel - - - [2520481.734406] SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=285 TOS=0x00 PREC=0x00 TTL=64 ID=5503 PROTO=UDP SPT=6666 DPT=6666 LEN=265 lines 1593-1714/1714 (END) log rotate happened about here, messages seems to be lost to the log. <0.4> 2016-02-13T23:17:27.116233+01:00 AmonLanc kernel - - - [2528605.239775] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38633 DF PROTO=TCP SPT=670 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4248C9340000000001030307) <0.4> 2016-02-13T23:17:28.113360+01:00 AmonLanc kernel - - - [2528606.241005] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38634 DF PROTO=TCP SPT=670 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4248CD1E0000000001030307) <0.4> 2016-02-13T23:17:30.112359+01:00 AmonLanc kernel - - - [2528608.242994] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38635 DF PROTO=TCP SPT=670 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4248D4F00000000001030307) <0.4> 2016-02-13T23:17:34.120325+01:00 AmonLanc kernel - - - [2528612.250963] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38636 DF PROTO=TCP SPT=670 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4248E4980000000001030307) <0.4> 2016-02-13T23:17:42.128356+01:00 AmonLanc kernel - - - [2528620.258991] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38637 DF PROTO=TCP SPT=670 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A424903E00000000001030307) <0.4> 2016-02-13T23:17:58.160339+01:00 AmonLanc kernel - - - [2528636.290976] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38638 DF PROTO=TCP SPT=670 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A424942800000000001030307) <0.4> 2016-02-13T23:18:18.733376+01:00 AmonLanc kernel - - - [2528656.862093] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39574 DF PROTO=TCP SPT=730 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A424992DB0000000001030307) <0.4> 2016-02-13T23:18:33.761360+01:00 AmonLanc kernel - - - [2528671.890990] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39578 DF PROTO=TCP SPT=730 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A4249CD900000000001030307) <0.4> 2016-02-13T23:18:49.808352+01:00 AmonLanc kernel - - - [2528687.938987] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39579 DF PROTO=TCP SPT=730 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A424A0C400000000001030307) <0.4> 2016-02-13T23:19:21.873366+01:00 AmonLanc kernel - - - [2528720.002963] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:03:0d:05:17:fc:00:21:85:16:2d:0b:08:00 SRC=192.168.1.14 DST=192.168.1.15 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=39580 DF PROTO=TCP SPT=730 DPT=43030 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A424A89800000000001030307) lines 1-10/10 (END) - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAla/vUAACgkQtTMYHG2NR9WhegCfZuFBCBV/NVpfrJ4FQx1rhHk0 vXcAninOWy8pFT+8ZBElGb8MyiPbdMXl =lDNR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 13/02/16 05:33 PM, Carlos E. R. wrote:
On Saturday, 2016-02-13 at 19:50 +0100, Carlos E. R. wrote:
A tcp dump? Or tell SuSEfirewall2 to log everything?
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no"
I can set all of them to "yes" prior to hibernation, and undo after. It is simple to do.
Done. Let's extract the firewall data.
<3.4> 2016-02-13 21:01:07 Telcontar pm-utils - - - Hibernating the system now (04)... <3.5> 2016-02-13 21:01:07 Telcontar pm-utils - - - There appears not be any pending nntp post to be sent. I just checked :-) <1.5> 2016-02-13 21:01:07 Telcontar network 24855 - - redirecting to "systemctl --signal=9 kill network.service" <3.5> 2016-02-13 21:01:07 Telcontar systemd 1 - - network@eth0.service: main process exited, code=killed, status=9/KILL <3.6> 2016-02-13 21:01:07 Telcontar systemd 1 - - Stopping LSB: Network time protocol daemon (ntpd)... <3.6> 2016-02-13 21:01:07 Telcontar ntp 24879 - - Shutting down network time protocol daemon (NTPD)..done <1.6> 2016-02-13 21:01:07 Telcontar org.freedesktop.UDisks 1047 - - **** /proc/self/mountinfo changed <3.6> 2016-02-13 21:01:07 Telcontar systemd 1 - - Stopped LSB: Network time protocol daemon (ntpd). <3.4> 2016-02-13 21:01:07 Telcontar pm-utils - - - Hibernating (95)...
So I have to look around 21:01:07
There are too many entries, so I'll filter.
<snip
Now for the receiver machine entries.
AmonLanc:~ # zgrep "192.168.1" /var/log/firewall-20160213.xz | grep "192.168.1.14" | grep "192.168.1.15" | less
<snip>
DOH! Do I feel stupid! It just occurred to me that we do not need *all* the firewall logs from both machines. The only things we are interested in for this are the UDP traffic sent to port 6666 on ..15 and ICMP traffic related to that. Only the following entries are relevant: on Telcontar: outbound UDP sent to AmonLanc on port 6666. responses to those packets (presumably these are UDP packets originating on port 6666?) ICMP packets received from AmonLanc. on AmonLanc: inbound UDP on port 6666 sent from Telcontar outbound responses to those any outbound ICMP packets sent to Telcontar. Perhaps something like wireshark would be able to capture the necessary data. What I suggested that you do is gross overkill. That having been said, I did not see a single firewall log entry on AmonLanc that could possibly explain why Telcontar is receiving these "port unreachable" messages. There is no logic to this at all, unless Telcontar's firewall is sending those ICMP messages **to itself** after the firewall has been locked shut. Perhaps I missed something? I'll have another look at it in the morning as time permits. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2016-02-13 at 19:50 +0100, Carlos E. R. wrote:
I need to code something first. I need a pipe that receives text entries, and writes them to stdout prefixed with a timestamp. I coded this years ago, but apparently I lost it. I know how to do it, just that I wanted to avoid it.
I found it, but had to modify. In case it is useful for others, here goes: program pipetimer2; {$mode objfpc}{$H+} uses SysUtils; Function StampNow (Fmt: string): AnsiString; var S: AnsiString; begin DateTimeToString (S, Fmt, Now); StampNow:= S; end; var L: string; begin while not eof(input) do begin readln(L); writeln(StampNow('yyyy-mm-dd"T"hh:nn:ss.zzz'), ' ', L); end end. Yes, pascal :-P Sample run: cer@Telcontar:~/bin/lazarus/mios> echo hello | ./pipetimer2 2016-02-14T00:37:25.890 hello cer@Telcontar:~/bin/lazarus/mios> - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAla/vmAACgkQtTMYHG2NR9V66wCeLq0XlBYt6vSv4Y/Me323Z87L 6wsAnjFW4ajKWhSPSXYlwtIGj2L8BRR/ =Z/wB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/13/2016 05:38 PM, Carlos E. R. wrote:
I found it, but had to modify. In case it is useful for others, here goes:
program pipetimer2;
{$mode objfpc}{$H+}
uses SysUtils;
Function StampNow (Fmt: string): AnsiString; var S: AnsiString; begin DateTimeToString (S, Fmt, Now); StampNow:= S; end;
var L: string;
begin while not eof(input) do begin readln(L); writeln(StampNow('yyyy-mm-dd"T"hh:nn:ss.zzz'), ' ', L); end end.
Yes, pascal :-P
Sample run:
cer@Telcontar:~/bin/lazarus/mios> echo hello | ./pipetimer2 2016-02-14T00:37:25.890 hello cer@Telcontar:~/bin/lazarus/mios>
I can't in good conscious let you rely on old pascal for your needs. I event tweaked the initial code so that localtime/gmtime timestamps are now command line option configurable. The help: /bin/tstamp_log -h tstamplog, version 0.01 usage: tstamplog [-f logfile (default: stdout) -hlv] [logfile] logs input from stdin to specified logfile. Options: -f logfile specifies logfile to which messages are append. (note: logfile can be specified with or without -f) -h this help. -l use localtime for log timestamp. -v display version information. example log entry: 'Feb 15 20:12:08 hostname ...message...' It may provide a bit of flexibility that the current pascal code lacks. Give it a go and it if works use it, if it doesn't -- delete it. Compile: gcc -Wall -Wextra -finline-functions -Ofast -o *tstamp_log tstamp_log.c If you have less than gcc 4.6, use -O3 optimization. - -- David C. Rankin, J.D.,P.E. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlbCxpYACgkQZMpuZ8CyrchllgCeIquqI0pjtbbDPYj1Y4BNEeLD zsAAn36RCV0MRd+VbJaNLqgWFRSktt5A =krBU -----END PGP SIGNATURE-----
On 2016-02-16 07:49, David C. Rankin wrote:
On 02/13/2016 05:38 PM, Carlos E. R. wrote:
Yes, pascal :-P
Sample run:
cer@Telcontar:~/bin/lazarus/mios> echo hello | ./pipetimer2 2016-02-14T00:37:25.890 hello cer@Telcontar:~/bin/lazarus/mios>
I can't in good conscious let you rely on old pascal for your needs.
But I was a professional programmer in Pascal, or rather, Borland Pascal. Guru class O:-) I also provided the beans for my table with C. So in theory I know both. But I prefer pascal. I simply did not add options and features to the code because I hardcoded it in the exact way I need it :-)
I event tweaked the initial code so that localtime/gmtime timestamps are now command line option configurable. The help:
Well, thanks, I'll keep it :-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
But, What is wrong with plain tcpdump and couple filters?? netstat or ss should show the state of the listening port unless it's working in some shady way inside the kernel without reflection to the userlands. The simplest way would be to login into both machines at the same time and somehow make sense of it before diving into all the fw logging or ICMP rules. Don't you have access to both machines? Am I missing something? Eliezer On 16/02/2016 22:54, Carlos E. R. wrote:
On 2016-02-16 07:49, David C. Rankin wrote:
On 02/13/2016 05:38 PM, Carlos E. R. wrote:
Yes, pascal :-P
Sample run:
cer@Telcontar:~/bin/lazarus/mios> echo hello | ./pipetimer2 2016-02-14T00:37:25.890 hello cer@Telcontar:~/bin/lazarus/mios>
I can't in good conscious let you rely on old pascal for your needs.
But I was a professional programmer in Pascal, or rather, Borland Pascal. Guru class O:-)
I also provided the beans for my table with C.
So in theory I know both. But I prefer pascal. I simply did not add options and features to the code because I hardcoded it in the exact way I need it :-)
I event tweaked the initial code so that localtime/gmtime timestamps are now command line option configurable. The help:
Well, thanks, I'll keep it :-)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-17 11:47, Eliezer Croitoru wrote:
But,
What is wrong with plain tcpdump and couple filters??
That I'm not familiar with it.
netstat or ss should show the state of the listening port unless it's working in some shady way inside the kernel without reflection to the userlands.
Remember that the port is normally open, except perhaps during the event.
The simplest way would be to login into both machines at the same time and somehow make sense of it before diving into all the fw logging or ICMP rules.
Don't you have access to both machines? Am I missing something?
Yes, you are missing that one of the machine is going into hibernation the instant this happens. It is going into hibernation what triggers the event, so it is not possible to log into it, and possibly, it is impossible to rely on any particular application running. A tcpdump would only run reliably on the destination machine, and it is possible that it sees nothing wrong (the current hypothesis). -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/17/2016 04:26 AM, Carlos E. R. wrote:
Yes, you are missing that one of the machine is going into hibernation the instant this happens. It is going into hibernation what triggers the event, so it is not possible to log into it, and possibly, it is impossible to rely on any particular application running.
Well DUH! This is the first I've heard mention of hibernation in this whole thread, which, admittedly, I've only been loosely following. Why are we taking up all this bandwidth discussing a problem caused by a machine shutting down? - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlbErDUACgkQv7M3G5+2DLLBFwCfaeXC7vTvEAIxaxzoI9gfZJBd CZgAn1EAiLAVt1jSq4CwP0bfqBDjrH9e =8QGm -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 06:21 PM, John Andersen wrote:
Why are we taking up all this bandwidth discussing a problem caused by a machine shutting down?
Because we did not know it was coincidental on going into hibernation. That was discovered later, by chance. Besides that, the problem is real and impacts usage of netconsole. I'm investigating a random crash during hibernation, for which I need logs, which of necessity have to be written on another machine via network using netconsole. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Asking out loud: How do you expect to use a udp service on a hibernated machine? What sense does it makes? How can it be done? Is it a physical machine or VM?? Have you tried WOL?(in the case of a physical) The issue you should be investigating is "why" it's hibernating and how to "stop" it from hibernating. Eliezer On 17/02/2016 22:27, Carlos E. R. wrote:
On 02/17/2016 06:21 PM, John Andersen wrote:
Why are we taking up all this bandwidth discussing a problem caused by a machine shutting down?
Because we did not know it was coincidental on going into hibernation. That was discovered later, by chance.
Besides that, the problem is real and impacts usage of netconsole. I'm investigating a random crash during hibernation, for which I need logs, which of necessity have to be written on another machine via network using netconsole.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 10:19 PM, Eliezer Croitoru wrote:
Asking out loud: How do you expect to use a udp service on a hibernated machine?
I don't. While the machine processes the going into hibernation, the kernel logs messages into syslog. They are written to disk, locally, after it recovers from hibernation. But they can be sent to another machine for safe keeping, either using a true RS232 port, or with netconsole, via network. I'm doing the later. And it is working, I get those logs.
The issue you should be investigating is "why" it's hibernating and how to "stop" it from hibernating.
I order it to hibernate. I'll try to clarify, again, in a single message, because the info is in the thread. I'm sending kernel messages to another machine via netconsole. Not on hibernation, but all time. While setting this up, I noticed those error messages in the log. Later, I noticed that those error messages appeared the instant the sender machine was going into hibernation. Not during hibernation, but while processing the going into hibernation. Maybe the messages can be ignored, because I do get the log entries on the other machine. This is my hypothesis. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/13/2016 07:50 PM, Carlos E. R. wrote:
I need to code something first. I need a pipe that receives text entries, and writes them to stdout prefixed with a timestamp.
http://stackoverflow.com/q/21564/4421 I'd personally probably prefer an awk solution: $ { echo hello ; sleep 3 ; echo world; } \ | stdbuf -oL awk '{ print strftime("%Y-%m-%d %H:%M:%S"), $0 }' 2016-02-14 01:29:35 hello 2016-02-14 01:29:38 world Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-02-14 01:33, Bernhard Voelker wrote:
On 02/13/2016 07:50 PM, Carlos E. R. wrote:
I need to code something first. I need a pipe that receives text entries, and writes them to stdout prefixed with a timestamp.
So, it is an often asked question.
I'd personally probably prefer an awk solution:
To each its own - I don't know awk, but I do pascal ;-)
$ { echo hello ; sleep 3 ; echo world; } \ | stdbuf -oL awk '{ print strftime("%Y-%m-%d %H:%M:%S"), $0 }' 2016-02-14 01:29:35 hello 2016-02-14 01:29:38 world
Have a nice day, Berny
- -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAla/2KsACgkQja8UbcUWM1w/ugD/ZvgJqumtj/k/KfInygWTSNHn xtCPv9TFoE3BXSspYV8A/A3K+rG97fZOLIV03xkckbRJeJ6UuMEu5FAqpUQrmSFi =7lkj -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-02-13 05:56, Andrei Borzenkov wrote:
No. He sees this message because other system blocks UDP
[SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ]
I'm looking at <https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol> The message is: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:03:0d:05:17:fc:08:00 SRC=192.168.1.15 DST=192.168.1.14 LEN=371 TOS=0x00 PREC=0xC0 TTL=64 ID=16013 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.14 DST=192.168.1.15 LEN=343 TOS=0x00 PREC=0x00 TTL=64 ID=3128 PROTO=UDP SPT=6666 DPT=6666 LEN=323 ] Where: PROTO=ICMP TYPE=3 --> Destination Unreachable CODE=3 --> Destination port unreachable Ie, 192.168.1.15 is telling 192.168.1.14 that the "destination port is unreachable". It includes the data of what communication is it that has problems, which goes from 192.168.1.14:6666 to 192.168.1.15:6666 (UDP). But udp,6666 is indeed open, so it does not make sense. To me, at least. :-} (The "Ext" firewall apparently blocks ICMP, but not ICMP type 8 (Echo Request)) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
participants (10)
-
Andrei Borzenkov -
Bernhard Voelker -
Carlos E. R. -
Darryl Gregorash -
David C. Rankin -
Eliezer Croitoru -
John Andersen -
Marcus Meissner -
Mark Goldstein -
Roger Price