Archive for the ‘Linux’ Category

Netfilter Log Format

Posted: 28th July 2010 by admin in Linux
Tags: , ,

Here is a quick reference for the format used by the netfilter log messages.   This is all derived from the source of the netfilter kernel modules (Linux kernel 2.4.2). Below is a hypothetical log message generated by netfilter. It is based on a real log entry but I have added all possible IP and TCP […]

Netfilter Log Format Issues

Posted: 28th July 2010 by admin in Linux
Tags: , ,

Positives Netfilter logs are intuitive and easy to read by the occasional, non-expert admin. They provide much more information than f.e. ipchains, in particular about the transport protocol. Show the header of messages returned inside an ICMP packet. Consistency Issues Most items in the log use the LABEL=value format, but: flags appear on their own, […]

ipchains Log Format

Posted: 26th July 2010 by admin in Linux
Tags: ,

Here is a quick reference for the format used by the ipchains log messages. This is mostly taken from the ipchains-HOWTO A typical log message generated by ipchains: Jun 16 08:00:38 megahard kernel: Packet log: forward DENY eth1 PROTO=17 a.b.c.d:234 w.x.y.z:34567 L=78 S=0×00 I=13413 F=0×0000 T=112 (#16) The leading part is self explanatory. The remaining […]

Linux Firewalls

Posted: 26th July 2010 by admin in Linux
Tags: ,

Packet filtering firewall: Linux ipchains implement a packet filtering firewall and can be considered medium security if implemented properly.  A packet filtering firewall looks at each packet individually, it does not (can not) consider any previous packets which may be part of a multiple packet transaction.  In other words, a packet filtering firewall is stateless.

What is the difference between REJECT and DENY?

Posted: 26th July 2010 by admin in Linux
Tags: , ,

With ipchains you can ACCEPT, REJECT or DENY a packet.  What ACCEPT does is self-explainatory, but nearly everybody  asks what the difference between REJECT and DENY is and which one is better.  And how does nmap see the ports? Below is my attempt at explaining the differences.  The example transactions were captured with tcpdump.