README.2nd Here are a few additional notes on customizing your fwmon installation, housekeeping tips and interpreting the output from fwmon. If we forgot some important points, or you have suggestions to improve the package, please contact us. 1. Date Format in Text Log. Conventions for displaying day, month and year in numerical values differ between countries. Currently, the default is 'dd-mm-yyyy' (day, month then year with "-" separators). This was selected to avoid confusing North American users who are used to seeing 'mm/dd/yy'. The latter can be very confusing with dates such as '02/01/01' which actually is '2 January 2001' but might be understood as '1 February 2001'. To avoid this confusion, the dash was selected as the separation character in the file 'print.c'. By default, the relevant section of the file contains: /* Format the time */ strftime((char *)&tb, 512, flag(FLAG_SHOWDATE) ? "%d-%m-%Y %H:%M:%S" : The critical section to change is the string sequence containing percent signs and lowercase characters. If you change the default by editing print.c, you must then re-execute 'make all' followed by 'make install' to recompile and install the program. Finally, you must activate it as described in the README file. 2. Controlling Log File Size. You might want to plan ahead in your use of any system such as fwmon which can grow very large files. One method of managing this is the logrotate program which is installed by default on TurboLinux 6 (and other) distros. This program in their default configuration compress specified files, rename them and open new files of the original name. If you followed the sample installation in the README, you optionally created /var/log/fwlog and/or /var/log/dump for the log files created and updated by fwmon. One way of managing these files is to add them to the list of files backed-up by the logrotate utility. To do this, using /var/log/fwlog as an example, is to edit the control file at /etc/logrotate.d/syslog. You will note that other common log files are defined there such as /var/log/messages. To add the fwmon log, add a new entry at the end as: /var/log/fwlog { postrotate /usr/bin/killall -HUP fwmon endscript } If you activate fwmon with the option to create a 'tcpdump'-style log file, a slightly different addition will be required since a special 24-byte header is required at the beginning of the new file which logrotate creates after compressing an existing file. By default, both TurboLinux (and others) create a null-length file. To overcome this (check /etc/logrotate.conf for the defaults), add the following if using the names suggested in the README file: /var/log/Dump { postrotate nocreate /usr/bin/killall -HUP fwmon endscript } 3. Interpreting Log Entries. Log entries in fwmon can provide information over and above that provided by ipchains in a typical Linux firewall. An example may provide a glimpse of such information using a recently trapped packet on a system. For purposes of this example, the author's real IP address has been replaced with a dummy sequence of 'aa.bb.cc.dd' for both decimal and hexidecimal portrayals. We start with the standard log entry from ipchains: Jan 7 08:22:10 nexus kernel: Packet log: input Dump eth0 PROTO=6 192.168.1.10:21 aa.bb.cc.dd:21 L=40 S=0x00 I=39426 F=0x0000 T=33 SYN (#50) >From this, we know that a system tried to establish a TCP connection to port 21 which is defined in /etc/services as 'ftp'. We know that this is a request to establish from the 'SYN' at the end of the entry meaning that this flag was set. The corresponding entry from the text log optionally produced by fwmon (with the -a flag) is: 07-01-2001 08:22:10 [eth0/0] TCP 192.168.1.10:21 -> aa.bb.cc.dd:21 [SF] len=40 0000 : E..(....!..A."DE 45 00 00 28 9A 02 00 00 21 06 C9 41 C0 A8 01 0A 0010 : .-I.....Q..<6... aa bb cc dd 00 15 00 15 51 F6 D9 3C 36 07 C7 F5 0020 : P...K........... 50 03 04 04 4B F7 00 00 The fwmon entry appears very different, and can add information which may be of additional value. The first line begins with the date and time, essentially duplicating the ipchains entry. The '[eth0/0]' tells us that this packet arrived on the eth0 interface with a firewall mark of 0. If you don't know what a firewall mark is, then that field can be ignored. The protocol (TCP) used is next followed by the source IP and port number after the colon. The right arrow indicates the direction of the intended flow, in this case to my dummied-up IP address and port number 21 (ftp as determined from /etc/services). The letters in the square brackets following this are the flag bits which were set in the packet. Each letter signifies a flag as: A = Acknowledge P = Push R = Reset S = Syn F = Fin In the case of this packet, while ipchains only reports that the SYN flag was set as an indication that a request is being made to open a connection, fwmon tells us that both Syn and Fin flags are set which is a clear indication that this is a crafted packet, and not a 'normal' request. Many papers and other sources of information on these types of attacks are available from varied sources on the internet. The following portions of the fwlog entry simply display the raw contents of the packet. The leftmost column is the offset address of the first byte in the row in hexidecimal. If ascii display is requested with the '-a' option, the ascii equivalent of the byte (or octet) is displayed if it is a printable (20-7FH) value, otherwise a period is displayed. Following the optional ascii display is the value of each byte in hexidecimal. There are many options and variations in packets, and this is not a complete tutorial, but as an example, we can manually decipher our sample packet and show where some of the information is contained, related to the ipchains and fwmon data reported. For those who were brought up in the Intel and derivative world...please adjust...all multi-byte values here are 'big-endian' meaning that the most-significant element is at the lowest address. In other words, there is no byte or word inversion (to convince yourself, do the conversions from hex to binary yourself :) 0000 : 45 00 00 28 9A 02 00 00 21 06 C9 41 C0 A8 01 0A || || || || || || || || ++-++-++-++-- Source IP in Hex || || || || || || || ++-------------------- Protocol Type || || || || || || ++----------------------- Time-To-Live || || || || ++-++-------------------------- Frag Offset+flags || || || || ('F' Value) || || ++-++-------------------------------- IP ID ('I' Value) ++-++-------------------------------------- Len (Bytes=Octets) 0010 : aa bb cc dd 00 15 00 15 51 F6 D9 3C 36 07 C7 F5 || || || || || || ++-++-------------------------- Destination Port # || || || || ++-++-------------------------------- Source Port # ++-++-++-++-------------------------------------- Dest IP (dummy) 0020 : 50 03 04 04 4B F7 00 00 >From the IPCHAINS HOWTO, the following extracts provide clarification: S=0x00 - Type of Service field (divide by 4 to get the Type of Service as used by ipchains). ---Type-of-Service bits??? F=0x0000 - The 16-bit fragment offset plus flags. A value starting with `0x4' or `0x5' means that the Don't Fragment bit is set. `0x2' or `0x3' means the `More Fragments' bit is set; expect more fragments after this. The rest of the number is the offset of this fragment, divided by 8. PROTO - The protocol number used in this package. See /etc/protocols for the list recognized by your computer. The most common ones seen in firewall logs are: 1 - ICMP 6 - TCP 17 - UDP Note: for PROTO=1 (ICMP), the port number is in fact the TYPE of ICMP Packet as: 0 - echo-reply ping 3 - destination-unreachable Any TCP/UDP traffic. 5 - redirect routing if not running routing daemon 8 - echo-request ping 11 - time-exceeded traceroute TCPDUMP. If you capture data in tcpdump format with fwmon, they may be examined by a variety of programs, most readily with 'tcpdump'. For a complete list of options and capabilities, consult the tcpdump man pages, but as a start, invoking the program as (more verbose, using the example log file): tcpdump -vv -r /var/log/dump will display summary data on all entries contained in the dump file. It will attempt to resolve the IPs and display their names if you are online (i.e. you have access to a DNS server).