Mailinglist Archive: opensuse-security (394 mails)

< Previous Next >
SuSEfirewall2 Logging Question
  • From: "Sturgis, Grant" <Grant.Sturgis@xxxxxxxxxxxxxxxxxx>
  • Date: Tue, 9 Dec 2003 13:52:27 -0700
  • Message-id: <17CAB0BF27BCFC47B0E4554A0E2F962B239C37@xxxxxxxxxxxxxxxx>
Ok, no responses to this question, let me try a different one.

Does anyone know why there are items in brackets []?





-----Original Message-----
From: Sturgis, Grant
Sent: Monday, December 08, 2003 11:00 AM
To: suse-security@xxxxxxxx
Subject: SuSEfirewall2 Logging Question


Greetings List,

I have a question that hopefully someone here can clear up for me. I apologize if this is common knowledge, and if someone knows where this particular documentation resides, I would very much appreciate a link.

I am getting the following logs from a SuSEfirewall2:

Dec 7 23:01:58 mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220 DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29751 DF PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ]
Dec 7 23:01:58 mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220 DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29755 DF PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=111 TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ]
Dec 7 23:02:02 mailserver kernel: SuSE-FW-DROP-ICMP-CRIT IN=eth0 OUT= MAC=00:b0:d0:c6:12:b5:00:e0:b6:03:dc:f2:08:00 SRC=203.134.26.220 DST=192.168.100.242 LEN=56 TOS=0x00 PREC=0x00 TTL=245 ID=29843 DF PROTO=ICMP TYPE=4 CODE=0 [SRC=192.168.100.242 DST=211.26.232.31 LEN=72 TOS=0x00 PREC=0x00 TTL=53 ID=0 FRAG:64 PROTO=TCP ]

My questions are:

Why is the MAC address what appears to be 2 MAC addresses concatenated together?
Why is there SRC and DST inside [] and why are they different from the other IPs mentioned?
This system's IP address is 192.168.100.242, which appears as the DST in the non-[] text, but is the SRC in the test inside the []. What gives?

Any comments are most welcome.

Grant



Pardon this rubbish:


This electronic message transmission is a PRIVATE communication which contains
information which may be confidential or privileged. The information is intended
to be for the use of the individual or entity named above. If you are not the
intended recipient, please be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited. Please notify the
sender of the delivery error by replying to this message, or notify us by
telephone (877-633-2436, ext. 0), and then delete it from your system.


< Previous Next >
Follow Ups