7.19. ( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird notices and errors in the SYSLOG log files. How do I read the IPFWADM/IPCHAINS firewall errors?

There is probably two common things that you are going to see:

• MASQ: Failed TCP Checksum error: You will see this error when a packet coming from the Internet gets corrupt in the data section of the packet but the rest of it "seems" ok. When the Linux box receives this packet, it will calculate the CRC of the packet and determine that its corrupt. On most machines running OSes like Microsoft Windows, they just silently drop the packets but Linux IP MASQ reports it. If you get a LOT of them over your PPP link, first follow the FAQ entry above for "Masq is slow".

• If the above tips don't help, try adding the line "-vj" to your /etc/ppp/options file and restart PPPd.

• Firewall hits: Because you are on the Internet with a decent firewall, you will be surprised with the number of users trying to penetrate your Linux box! So what do all these firewall logs mean?

• From the TrinityOS - Section 10 doc:

  In the below rulesets, any line that either DENYs or REJECTs traffic also has a "-o" to LOG this firewall hit in the SYSLOG messages file found at: Redhat: /var/log Slackware: /var/adm If you take a look at one of these firewall logs, you would see something like: --------------------------------------------------------------------- IPFWADM: Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633 100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254 IPCHAINS: Packet log: input DENY eth0 PROTO=17 12.75.147.174:1633 100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254 --------------------------------------------------------------------- There is a LOT of information in just this one line. Lets break out this example. You should refer back to the original firewall hit as you read this. Please note that this example is for IPFWADM though it is DIRECTLY readable for IPCHAINS users. -------------- - This firewall "hit" occurred on "Feb 23 07:37:01" - This hit was on the "RoadRunner" computer. - This hit occurred on the "IP" or TCP/IP protocol - This hit came IN to ("fw-in") the firewall * Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD - This hit was then "rejECTED". * Other logs can say "deny" or "accept" - This firewall hit was on the "eth0" interface (Internet link) - This hit was a "TCP" packet - This hit came from IP address "12.75.147.174" on return port "1633". - This hit was addressed to "100.200.0.212" on port "23" or TELNET. * If you don't know that port 23 is for TELNETing, look at your /etc/services file to see what other ports are used for. - This packet was "44" bytes long - This packet did NOT have any "Type of Service" (TOS) set --Don't worry if you don't understand this.. not required to know * divide this by 4 to get the Type of Service for ipchains users - This packet had the "IP ID" number of "18" --Don't worry if you don't understand this.. not required to know - This packet had a 16bit fragment offset including any TCP/IP packet flags of "0x0000" --Don't worry if you don't understand this.. not required to know * A value that started with "0x2..." or "0x3..." means the "More Fragments" bit was set so more fragmented packets will be coming in to complete this one BIG packet. * A value which started with "0x4..." or "0x5..." means that the "Don't Fragment" bit is set. * Any other values are the Fragment offset (divided by 8) to be later used to recombine into the original LARGE packet - This packet had a TimeToLive (TTL) of 20. * Every hop over the Internet will subtract (1) from this number. Usually, packets will start with a number of (255) and if that number ever reaches (0), it means that realistically, the packet was lost and most likely will be deleted.