User`s guide
486
The FWLOG.TXT File
When the log option is specified within a firewall script rule, an entry is created in the
FWLOG.TXT pseudo-file each time an IP packet matches the rule. Each log entry will in turn
contain the following information:
Parameter
Description
Timestamp The time when the log entry is created.
Short
Description
Usually “FW LOG” but could be “FW DEBUG” for packets that hit rules with
the “debug” action set.
Dir Either “IN” or “OUT”. Indicates the direction the packet is travelling.
Line The line number of the rule that cause the packet to be logged.
Hits The number of matches for the rule that caused this packet to be logged.
Iface The Interface the packet was to be transmitted/received on.
Source IP The source IP address in the IP packet.
Dest. IP The destination IP address in the IP packet.
ID The value of the ID field in the IP packet.
TTL The value of the TTL field in the IP packet.
PROTO The value of the protocol field in the IP packet. This will be expanded to
text as well for the well-known protocols.
Src Port The value of the source port field in the TCP/UDP header.
Dst Port The value of the source port field in the TCP/UDP header.
Rule Text The rule that caused the packet to be logged is also entered into the log
file.
In addition, port numbers will be expanded to text pre-defined port numbers.
Log File Examples
Example: log entry without the body option:
----- 15-8-2002 16:25:50 ------
FW LOG Dir: IN Line: 11 Hits: 1 IFACE: ETH 0
Source IP: 100.100.100.25 Dest IP: 100.100.100.50 ID: 39311 TTL: 128
PROTO: TCP (6)
Src Port: 4232 Dst Port: WEB (80)
pass in log break end on eth 0 proto tcp from 100.100.100.25 to addr-
eth 0
flags S/SA inspect-state
----------
Example: Log entry with the body option:
----- 15-8-2002 16:27:56 ------
FW LOG Dir: IN Line: 7 Hits: 1 IFACE: ETH 0
Source IP: 100.100.100.25 Dest IP: 100.100.100.50 ID: 40140 TTL: 128
PROTO: ICMP (1)