README.2nd
Here are a few additional notes on customizing your fwmon installation,
housekeeping tips and interpreting the output from fwmon. If we forgot some
important points, or you have suggestions to improve the package, please
contact us.
1. Date Format in Text Log.
Conventions for displaying day, month and year in numerical values differ
between countries. Currently, the default is 'dd-mm-yyyy' (day, month then
year with "-" separators). This was selected to avoid confusing North
American users who are used to seeing 'mm/dd/yy'. The latter can be very
confusing with dates such as '02/01/01' which actually is '2 January 2001'
but might be understood as '1 February 2001'. To avoid this confusion, the
dash was selected as the separation character in the file 'print.c'. By
default, the relevant section of the file contains:
/* Format the time */
strftime((char *)&tb, 512, flag(FLAG_SHOWDATE) ? "%d-%m-%Y %H:%M:%S" :
The critical section to change is the string sequence containing percent
signs and lowercase characters. If you change the default by editing
print.c, you must then re-execute 'make all' followed by 'make install' to
recompile and install the program. Finally, you must activate it as
described in the README file.
2. Controlling Log File Size.
You might want to plan ahead in your use of any system such as fwmon which
can grow very large files. One method of managing this is the logrotate
program which is installed by default on TurboLinux 6 (and other) distros.
This program in their default configuration compress specified files, rename
them and open new files of the original name. If you followed the sample
installation in the README, you optionally created /var/log/fwlog and/or
/var/log/dump for the log files created and updated by fwmon. One way of
managing these files is to add them to the list of files backed-up by the
logrotate utility.
To do this, using /var/log/fwlog as an example, is to edit the control file
at /etc/logrotate.d/syslog. You will note that other common log files are
defined there such as /var/log/messages. To add the fwmon log, add a new
entry at the end as:
/var/log/fwlog {
postrotate
/usr/bin/killall -HUP fwmon
endscript
}
If you activate fwmon with the option to create a 'tcpdump'-style log file,
a slightly different addition will be required since a special 24-byte
header is required at the beginning of the new file which logrotate creates
after compressing an existing file. By default, both TurboLinux (and
others) create a null-length file. To overcome this (check
/etc/logrotate.conf for the defaults), add the following if using the names
suggested in the README file:
/var/log/Dump {
postrotate
nocreate
/usr/bin/killall -HUP fwmon
endscript
}
3. Interpreting Log Entries.
Log entries in fwmon can provide information over and above that provided by
ipchains in a typical Linux firewall. An example may provide a glimpse of
such information using a recently trapped packet on a system. For purposes
of this example, the author's real IP address has been replaced with a dummy
sequence of 'aa.bb.cc.dd' for both decimal and hexidecimal portrayals. We
start with the standard log entry from ipchains:
Jan 7 08:22:10 nexus kernel: Packet log: input Dump eth0 PROTO=6
192.168.1.10:21 aa.bb.cc.dd:21 L=40 S=0x00 I=39426 F=0x0000 T=33 SYN (#50)
>From this, we know that a system tried to establish a TCP connection to port
21 which is defined in /etc/services as 'ftp'. We know that this is a
request to establish from the 'SYN' at the end of the entry meaning that
this flag was set.
The corresponding entry from the text log optionally produced by fwmon (with
the -a flag) is:
07-01-2001 08:22:10 [eth0/0] TCP 192.168.1.10:21 -> aa.bb.cc.dd:21 [SF] len=40
0000 : E..(....!..A."DE 45 00 00 28 9A 02 00 00 21 06 C9 41 C0 A8 01 0A
0010 : .-I.....Q..<6... aa bb cc dd 00 15 00 15 51 F6 D9 3C 36 07 C7 F5
0020 : P...K........... 50 03 04 04 4B F7 00 00
The fwmon entry appears very different, and can add information which may be
of additional value. The first line begins with the date and time,
essentially duplicating the ipchains entry. The '[eth0/0]' tells us that this
packet arrived on the eth0 interface with a firewall mark of 0. If you don't
know what a firewall mark is, then that field can be ignored. The protocol
(TCP) used is next followed by the source IP and port number after the colon.
The right arrow indicates the direction of the intended flow, in this case
to my dummied-up IP address and port number 21 (ftp as determined from
/etc/services). The letters in the square brackets following this are the
flag bits which were set in the packet. Each letter signifies a flag as:
A = Acknowledge
P = Push
R = Reset
S = Syn
F = Fin
In the case of this packet, while ipchains only reports that the SYN flag
was set as an indication that a request is being made to open a connection,
fwmon tells us that both Syn and Fin flags are set which is a clear
indication that this is a crafted packet, and not a 'normal' request. Many
papers and other sources of information on these types of attacks are
available from varied sources on the internet.
The following portions of the fwlog entry simply display the raw contents of
the packet. The leftmost column is the offset address of the first byte in
the row in hexidecimal. If ascii display is requested with the '-a' option,
the ascii equivalent of the byte (or octet) is displayed if it is a
printable (20-7FH) value, otherwise a period is displayed. Following the
optional ascii display is the value of each byte in hexidecimal.
There are many options and variations in packets, and this is not a complete
tutorial, but as an example, we can manually decipher our sample packet and
show where some of the information is contained, related to the ipchains and
fwmon data reported. For those who were brought up in the Intel and
derivative world...please adjust...all multi-byte values here are
'big-endian' meaning that the most-significant element is at the lowest
address. In other words, there is no byte or word inversion (to convince
yourself, do the conversions from hex to binary yourself :)
0000 : 45 00 00 28 9A 02 00 00 21 06 C9 41 C0 A8 01 0A
|| || || || || || || || ++-++-++-++-- Source IP in Hex
|| || || || || || || ++-------------------- Protocol Type
|| || || || || || ++----------------------- Time-To-Live
|| || || || ++-++-------------------------- Frag Offset+flags
|| || || || ('F' Value)
|| || ++-++-------------------------------- IP ID ('I' Value)
++-++-------------------------------------- Len (Bytes=Octets)
0010 : aa bb cc dd 00 15 00 15 51 F6 D9 3C 36 07 C7 F5
|| || || || || || ++-++-------------------------- Destination Port #
|| || || || ++-++-------------------------------- Source Port #
++-++-++-++-------------------------------------- Dest IP (dummy)
0020 : 50 03 04 04 4B F7 00 00
>From the IPCHAINS HOWTO, the following extracts provide clarification:
S=0x00 - Type of Service field (divide by 4 to get the
Type of Service as used by ipchains).
---Type-of-Service bits???
F=0x0000 - The 16-bit fragment offset plus flags. A value
starting with `0x4' or `0x5' means that the Don't Fragment bit is
set. `0x2' or `0x3' means the `More Fragments' bit is set; expect
more fragments after this. The rest of the number is the offset of
this fragment, divided by 8.
PROTO - The protocol number used in this package. See /etc/protocols
for the list recognized by your computer. The most common ones
seen in firewall logs are:
1 - ICMP
6 - TCP
17 - UDP
Note: for PROTO=1 (ICMP), the port number is in fact the TYPE of
ICMP Packet as:
0 - echo-reply ping
3 - destination-unreachable Any TCP/UDP traffic.
5 - redirect routing if not running
routing daemon
8 - echo-request ping
11 - time-exceeded traceroute
TCPDUMP.
If you capture data in tcpdump format with fwmon, they may be examined by
a variety of programs, most readily with 'tcpdump'. For a complete list of
options and capabilities, consult the tcpdump man pages, but as a start,
invoking the program as (more verbose, using the example log file):
tcpdump -vv -r /var/log/dump
will display summary data on all entries contained in the dump file. It
will attempt to resolve the IPs and display their names if you are online
(i.e. you have access to a DNS server).
