User`s guide

389

Management > Network Status > Firewall Trace

The firewall trace output is appended to when the log keyword is used in the firewall.

Most commonly, the log keyword is used in the last rule in form block log break end to

log a summary of all packets that did not match one of the preceding allow rules.

The log keyword is much more versatile in its usage and what can be logged. For more

information see “log:” in the Firewall Scripts section.

An example output is show below, this is from the commonly used firewall rule

block log break end

----- 5-10-2009 23:12:08 ------

FW LOG Dir: IN Line: 37 Hits: 4730 IFACE: ETH 3

Source IP: 222.45.112.59 Dest IP: 217.34.133.21 ID: 256 TTL: 106 PROTO: TCP (6)

Src Port: 12200 Dst Port: 8118

block log break end

----------

----- 5-10-2009 23:13:15 ------

FW LOG Dir: IN Line: 37 Hits: 4731 IFACE: ETH 3

Source IP: 218.61.22.42 Dest IP: 217.34.133.21 ID: 35372 TTL: 136 PROTO: TCP (6)

Src Port: FTP CTL (21) Dst Port: 16794

block log break end

----------

2 example logged packets are shown. The output of the 1st logged packet can be explained

as follows:

----- 5-10-2009 23:12:08 ------

This is the time stamp of the blocked packet.

FW LOG Dir: IN Line: 37 Hits: 4730 IFACE: ETH 3

‘Dir:’ is the direction of the packet that was logged, either IN or OUT of the router.

‘Line:’ is the line number within the firewall rules that caused this packet to be logged.

‘Hits:’ is the number of packets that have matched this rule.

‘IFACE:’ is the interface which the packet was logged on.

Source IP: 222.45.112.59 Dest IP: 217.34.133.21 ID: 256 TTL: 106 PROTO: TCP (6)

‘Source IP:’ is the source IP address of the packet that was logged.

‘Dest IP:’ is the destination IP address of the packet that was logged.

‘ID:’ is the ID of the packet, this is taken from the packet header.

‘TTL:’ is the Time To Live value.

‘PROTO:’ is the layer 3 protocol of the logged packet.