Now that I have IP Masquerading up, I'm getting all sorts of weird
notices and errors in the SYSLOG log files. How do I read the IPFWADM/IPCHAINS
firewall errors?
There is probably two common things that you are going to see:
MASQ: Failed TCP Checksum error: You will
see this error when a packet coming from the Internet gets corrupt in the data
section of the packet but the rest of it "seems" ok. When the Linux box
receives this packet, it will calculate the CRC of the packet and determine
that its corrupt. On most machines running OSes like Microsoft Windows, they
just silently drop the packets but Linux IP MASQ reports it. If you get a LOT
of them over your PPP link, first follow the FAQ entry above for "Masq is
slow".
If the above tips don't help, try adding the line "-vj" to your
/etc/ppp/options file and restart PPPd.
Firewall hits: Because you are on the
Internet with a decent firewall, you will be surprised with the number of users
trying to penetrate your Linux box! So what do all these firewall logs mean?
In the below rulesets, any line that either DENYs or REJECTs
traffic also has a "-o" to LOG this firewall hit in the SYSLOG
messages file found at:
Redhat: /var/log
Slackware: /var/adm
If you take a look at one of these firewall logs, you would see something
like:
---------------------------------------------------------------------
IPFWADM:
Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633
100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=254
IPCHAINS:
Packet log: input DENY eth0 PROTO=17 12.75.147.174:1633 100.200.0.212:23
L=44 S=0x00 I=54054 F=0x0040 T=254
---------------------------------------------------------------------
There is a LOT of information in just this one line. Lets break out this
example. You should refer back to the original firewall hit as you read this.
Please note that this example is for IPFWADM though it is DIRECTLY readable for
IPCHAINS users.
--------------
- This firewall "hit" occurred on "Feb 23 07:37:01"
- This hit was on the "RoadRunner" computer.
- This hit occurred on the "IP" or TCP/IP protocol
- This hit came IN to ("fw-in") the firewall
* Other logs can say "fw-out" for OUT or "fw-fwd" for FORWARD
- This hit was then "rejECTED".
* Other logs can say "deny" or "accept"
- This firewall hit was on the "eth0" interface (Internet link)
- This hit was a "TCP" packet
- This hit came from IP address "12.75.147.174" on return port "1633".
- This hit was addressed to "100.200.0.212" on port "23" or TELNET.
* If you don't know that port 23 is for TELNETing, look at your
/etc/services file to see what other ports are used for.
- This packet was "44" bytes long
- This packet did NOT have any "Type of Service" (TOS) set
--Don't worry if you don't understand this.. not required to know
* divide this by 4 to get the Type of Service for ipchains users
- This packet had the "IP ID" number of "18"
--Don't worry if you don't understand this.. not required to know
- This packet had a 16bit fragment offset including any TCP/IP packet
flags of "0x0000"
--Don't worry if you don't understand this.. not required to know
* A value that started with "0x2..." or "0x3..." means the "More
Fragments" bit was set so more fragmented packets will be coming in
to complete this one BIG packet.
* A value which started with "0x4..." or "0x5..." means that the
"Don't Fragment" bit is set.
* Any other values are the Fragment offset (divided by 8) to be later
used to recombine into the original LARGE packet
- This packet had a TimeToLive (TTL) of 20.
* Every hop over the Internet will subtract (1) from this number.
Usually, packets will start with a number of (255) and if that
number ever reaches (0), it means that realistically, the packet was
lost and most likely will be deleted.