SnapGear 1.7.8 Manuel D’Utilisation
Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1
OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00
OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00
SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00
TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840
RES=0x00 SYN URGP=0
TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840
RES=0x00 SYN URGP=0
That is, a packet arriving from the WAN (IN=eth1) and bound for the SnapGear appliance
itself (OUT=<nothing>) from IP address 140.103.74.181 (SRC=140.103.74.181),
attempting to go to port 139 (DPT=139, Windows file sharing) was dropped.
itself (OUT=<nothing>) from IP address 140.103.74.181 (SRC=140.103.74.181),
attempting to go to port 139 (DPT=139, Windows file sharing) was dropped.
If the packet is traversing the SnapGear appliance to a server on the private network, the
outgoing interface will be eth0, e.g.:
outgoing interface will be eth0, e.g.:
Mar 27 09:52:59 2003 klogd: IN=eth1 OUT=eth0 SRC=140.103.74.181
DST=10.0.0.2 LEN=60 TOS=0x10 PREC=0x00 TTL=62 ID=51683 DF
PROTO=TCP SPT=47044 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
DST=10.0.0.2 LEN=60 TOS=0x10 PREC=0x00 TTL=62 ID=51683 DF
PROTO=TCP SPT=47044 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Packets going from the private network to the public come in eth0, and out eth1, e.g.:
Mar 27 10:02:51 2003 klogd: IN=eth0 OUT=eth1 SRC=10.0.0.2
DST=140.103.74.181 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62830 DF
PROTO=TCP SPT=46486 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
DST=140.103.74.181 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62830 DF
PROTO=TCP SPT=46486 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Creating Custom Log Rules
Additional log rules can be configured to provide more detail if desired. For example, by
analysing the rules in the Rules menu, it is possible to provide additional log messages
with configurable prefixes (i.e. other than Default Deny:) for some allowed or denied
protocols.
analysing the rules in the Rules menu, it is possible to provide additional log messages
with configurable prefixes (i.e. other than Default Deny:) for some allowed or denied
protocols.
Depending on how the LOG rules are constructed it may be possible to differentiate
between inbound (from WAN to LAN) and outbound (from LAN to WAN) traffic. Similarly,
traffic attempting to access services on the SnapGear appliance itself can be
differentiated from traffic trying to pass through it.
between inbound (from WAN to LAN) and outbound (from LAN to WAN) traffic. Similarly,
traffic attempting to access services on the SnapGear appliance itself can be
differentiated from traffic trying to pass through it.
The examples below can be entered on the Command Line Interface (telnet), or into the
Rules SnapGear Management Console web administration pages. Rules entered on the
CLI are not permanent however, so while it may be useful for some quick testing, it is
something to be wary of.
Rules SnapGear Management Console web administration pages. Rules entered on the
CLI are not permanent however, so while it may be useful for some quick testing, it is
something to be wary of.
To log permitted inbound access requests to services hosted on the SnapGear
appliance, the rule should look something like this:
appliance, the rule should look something like this:
Appendix B – System Log
98