Understanding UFW log
What does this UFW log mean? Has already asked this question, however he asked it with a specific intention and the log in actuality did not get covered in the answer. Therefore I did not benefit and ask the question again.
I want to know what each piece of the UFW log means
Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
[UFW BLOCK] IN=eth0 OUT=
MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
SRC=77.72.85.26 DST=157.230.26.180
LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
SPT=42772 DPT=3194 WINDOW=1024
RES=0x00 SYN URGP=0
For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.
firewall log ufw logging
add a comment |
What does this UFW log mean? Has already asked this question, however he asked it with a specific intention and the log in actuality did not get covered in the answer. Therefore I did not benefit and ask the question again.
I want to know what each piece of the UFW log means
Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
[UFW BLOCK] IN=eth0 OUT=
MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
SRC=77.72.85.26 DST=157.230.26.180
LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
SPT=42772 DPT=3194 WINDOW=1024
RES=0x00 SYN URGP=0
For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.
firewall log ufw logging
add a comment |
What does this UFW log mean? Has already asked this question, however he asked it with a specific intention and the log in actuality did not get covered in the answer. Therefore I did not benefit and ask the question again.
I want to know what each piece of the UFW log means
Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
[UFW BLOCK] IN=eth0 OUT=
MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
SRC=77.72.85.26 DST=157.230.26.180
LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
SPT=42772 DPT=3194 WINDOW=1024
RES=0x00 SYN URGP=0
For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.
firewall log ufw logging
What does this UFW log mean? Has already asked this question, however he asked it with a specific intention and the log in actuality did not get covered in the answer. Therefore I did not benefit and ask the question again.
I want to know what each piece of the UFW log means
Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
[UFW BLOCK] IN=eth0 OUT=
MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
SRC=77.72.85.26 DST=157.230.26.180
LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
SPT=42772 DPT=3194 WINDOW=1024
RES=0x00 SYN URGP=0
For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.
firewall log ufw logging
firewall log ufw logging
edited Feb 7 at 16:36
Doug Smythies
7,28131530
7,28131530
asked Feb 6 at 16:35
Jonas GrønbekJonas Grønbek
1136
1136
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
UFW is just a front end for iptables, and so those log entries are actually from iptables.
Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
date and time, your computer name, and kernel time since boot.
Line 2: [UFW BLOCK] IN=eth0 OUT=
whenever iptables does a log entry there is an optional --log-prefix
, in this case [UFW BLOCK]
. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN
is the network interface name that the packet arrived on. The OUT
is blank because the packet is not been re-transmitted, which might be the case if this was a router application.
Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".
Line 4: SRC=77.72.85.26 DST=157.230.26.180
Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.
Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).
Line 6: SPT=42772 DPT=3194 WINDOW=1024
Source port; Detestation port; TCP window size
Line 7: RES=0x00 SYN URGP=0
TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.
I could not imagine a better answer, may you have a wonderful day sir! :)
– Jonas Grønbek
Feb 6 at 17:10
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116145%2funderstanding-ufw-log%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
UFW is just a front end for iptables, and so those log entries are actually from iptables.
Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
date and time, your computer name, and kernel time since boot.
Line 2: [UFW BLOCK] IN=eth0 OUT=
whenever iptables does a log entry there is an optional --log-prefix
, in this case [UFW BLOCK]
. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN
is the network interface name that the packet arrived on. The OUT
is blank because the packet is not been re-transmitted, which might be the case if this was a router application.
Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".
Line 4: SRC=77.72.85.26 DST=157.230.26.180
Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.
Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).
Line 6: SPT=42772 DPT=3194 WINDOW=1024
Source port; Detestation port; TCP window size
Line 7: RES=0x00 SYN URGP=0
TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.
I could not imagine a better answer, may you have a wonderful day sir! :)
– Jonas Grønbek
Feb 6 at 17:10
add a comment |
UFW is just a front end for iptables, and so those log entries are actually from iptables.
Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
date and time, your computer name, and kernel time since boot.
Line 2: [UFW BLOCK] IN=eth0 OUT=
whenever iptables does a log entry there is an optional --log-prefix
, in this case [UFW BLOCK]
. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN
is the network interface name that the packet arrived on. The OUT
is blank because the packet is not been re-transmitted, which might be the case if this was a router application.
Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".
Line 4: SRC=77.72.85.26 DST=157.230.26.180
Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.
Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).
Line 6: SPT=42772 DPT=3194 WINDOW=1024
Source port; Detestation port; TCP window size
Line 7: RES=0x00 SYN URGP=0
TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.
I could not imagine a better answer, may you have a wonderful day sir! :)
– Jonas Grønbek
Feb 6 at 17:10
add a comment |
UFW is just a front end for iptables, and so those log entries are actually from iptables.
Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
date and time, your computer name, and kernel time since boot.
Line 2: [UFW BLOCK] IN=eth0 OUT=
whenever iptables does a log entry there is an optional --log-prefix
, in this case [UFW BLOCK]
. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN
is the network interface name that the packet arrived on. The OUT
is blank because the packet is not been re-transmitted, which might be the case if this was a router application.
Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".
Line 4: SRC=77.72.85.26 DST=157.230.26.180
Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.
Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).
Line 6: SPT=42772 DPT=3194 WINDOW=1024
Source port; Detestation port; TCP window size
Line 7: RES=0x00 SYN URGP=0
TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.
UFW is just a front end for iptables, and so those log entries are actually from iptables.
Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
date and time, your computer name, and kernel time since boot.
Line 2: [UFW BLOCK] IN=eth0 OUT=
whenever iptables does a log entry there is an optional --log-prefix
, in this case [UFW BLOCK]
. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN
is the network interface name that the packet arrived on. The OUT
is blank because the packet is not been re-transmitted, which might be the case if this was a router application.
Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".
Line 4: SRC=77.72.85.26 DST=157.230.26.180
Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.
Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).
Line 6: SPT=42772 DPT=3194 WINDOW=1024
Source port; Detestation port; TCP window size
Line 7: RES=0x00 SYN URGP=0
TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.
edited Feb 7 at 16:33
answered Feb 6 at 17:08
Doug SmythiesDoug Smythies
7,28131530
7,28131530
I could not imagine a better answer, may you have a wonderful day sir! :)
– Jonas Grønbek
Feb 6 at 17:10
add a comment |
I could not imagine a better answer, may you have a wonderful day sir! :)
– Jonas Grønbek
Feb 6 at 17:10
I could not imagine a better answer, may you have a wonderful day sir! :)
– Jonas Grønbek
Feb 6 at 17:10
I could not imagine a better answer, may you have a wonderful day sir! :)
– Jonas Grønbek
Feb 6 at 17:10
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116145%2funderstanding-ufw-log%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown