Category: Linux

Netfilter Log Format

Here is a quick reference for the format used by the netfilter log messages.   This is all derived from the source of the netfilter kernel modules (Linux kernel 2.4.2). Below is a hypothetical log message generated by netfilter. It is based on a real log entry but I have added all possible IP and TCP…

Read the full article

Netfilter Log Format Issues

Positives Netfilter logs are intuitive and easy to read by the occasional, non-expert admin. They provide much more information than f.e. ipchains, in particular about the transport protocol. Show the header of messages returned inside an ICMP packet. Consistency Issues Most items in the log use the LABEL=value format, but: flags appear on their own,…

Read the full article

ipchains Log Format

Here is a quick reference for the format used by the ipchains log messages. This is mostly taken from the ipchains-HOWTO A typical log message generated by ipchains: Jun 16 08:00:38 megahard kernel: Packet log: forward DENY eth1 PROTO=17 a.b.c.d:234 w.x.y.z:34567 L=78 S=0x00 I=13413 F=0x0000 T=112 (#16) The leading part is self explanatory. The remaining…

Read the full article

Linux Firewalls

Packet filtering firewall: Linux ipchains implement a packet filtering firewall and can be considered medium security if implemented properly.  A packet filtering firewall looks at each packet individually, it does not (can not) consider any previous packets which may be part of a multiple packet transaction.  In other words, a packet filtering firewall is stateless.

What is the difference between REJECT and DENY?

With ipchains you can ACCEPT, REJECT or DENY a packet.  What ACCEPT does is self-explainatory, but nearly everybody  asks what the difference between REJECT and DENY is and which one is better.  And how does nmap see the ports? Below is my attempt at explaining the differences.  The example transactions were captured with tcpdump.