Understanding UFW log












2















What does this UFW log mean? Has already asked this question, however he asked it with a specific intention and the log in actuality did not get covered in the answer. Therefore I did not benefit and ask the question again.



I want to know what each piece of the UFW log means



Feb  6 16:27:08 jonasgroenbek kernel: [71910.873115] 
[UFW BLOCK] IN=eth0 OUT=
MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
SRC=77.72.85.26 DST=157.230.26.180
LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
SPT=42772 DPT=3194 WINDOW=1024
RES=0x00 SYN URGP=0


For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.










share|improve this question





























    2















    What does this UFW log mean? Has already asked this question, however he asked it with a specific intention and the log in actuality did not get covered in the answer. Therefore I did not benefit and ask the question again.



    I want to know what each piece of the UFW log means



    Feb  6 16:27:08 jonasgroenbek kernel: [71910.873115] 
    [UFW BLOCK] IN=eth0 OUT=
    MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
    SRC=77.72.85.26 DST=157.230.26.180
    LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
    SPT=42772 DPT=3194 WINDOW=1024
    RES=0x00 SYN URGP=0


    For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.










    share|improve this question



























      2












      2








      2








      What does this UFW log mean? Has already asked this question, however he asked it with a specific intention and the log in actuality did not get covered in the answer. Therefore I did not benefit and ask the question again.



      I want to know what each piece of the UFW log means



      Feb  6 16:27:08 jonasgroenbek kernel: [71910.873115] 
      [UFW BLOCK] IN=eth0 OUT=
      MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
      SRC=77.72.85.26 DST=157.230.26.180
      LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
      SPT=42772 DPT=3194 WINDOW=1024
      RES=0x00 SYN URGP=0


      For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.










      share|improve this question
















      What does this UFW log mean? Has already asked this question, however he asked it with a specific intention and the log in actuality did not get covered in the answer. Therefore I did not benefit and ask the question again.



      I want to know what each piece of the UFW log means



      Feb  6 16:27:08 jonasgroenbek kernel: [71910.873115] 
      [UFW BLOCK] IN=eth0 OUT=
      MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
      SRC=77.72.85.26 DST=157.230.26.180
      LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
      SPT=42772 DPT=3194 WINDOW=1024
      RES=0x00 SYN URGP=0


      For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.







      firewall log ufw logging






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 7 at 16:36









      Doug Smythies

      7,28131530




      7,28131530










      asked Feb 6 at 16:35









      Jonas GrønbekJonas Grønbek

      1136




      1136






















          1 Answer
          1






          active

          oldest

          votes


















          3














          UFW is just a front end for iptables, and so those log entries are actually from iptables.



          Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]



          date and time, your computer name, and kernel time since boot.



          Line 2: [UFW BLOCK] IN=eth0 OUT=



          whenever iptables does a log entry there is an optional --log-prefix, in this case [UFW BLOCK]. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN is the network interface name that the packet arrived on. The OUT is blank because the packet is not been re-transmitted, which might be the case if this was a router application.



          Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00



          These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".



          Line 4: SRC=77.72.85.26 DST=157.230.26.180



          Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.



          Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP



          Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).



          Line 6: SPT=42772 DPT=3194 WINDOW=1024



          Source port; Detestation port; TCP window size



          Line 7: RES=0x00 SYN URGP=0



          TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.






          share|improve this answer


























          • I could not imagine a better answer, may you have a wonderful day sir! :)

            – Jonas Grønbek
            Feb 6 at 17:10













          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116145%2funderstanding-ufw-log%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          3














          UFW is just a front end for iptables, and so those log entries are actually from iptables.



          Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]



          date and time, your computer name, and kernel time since boot.



          Line 2: [UFW BLOCK] IN=eth0 OUT=



          whenever iptables does a log entry there is an optional --log-prefix, in this case [UFW BLOCK]. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN is the network interface name that the packet arrived on. The OUT is blank because the packet is not been re-transmitted, which might be the case if this was a router application.



          Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00



          These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".



          Line 4: SRC=77.72.85.26 DST=157.230.26.180



          Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.



          Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP



          Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).



          Line 6: SPT=42772 DPT=3194 WINDOW=1024



          Source port; Detestation port; TCP window size



          Line 7: RES=0x00 SYN URGP=0



          TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.






          share|improve this answer


























          • I could not imagine a better answer, may you have a wonderful day sir! :)

            – Jonas Grønbek
            Feb 6 at 17:10


















          3














          UFW is just a front end for iptables, and so those log entries are actually from iptables.



          Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]



          date and time, your computer name, and kernel time since boot.



          Line 2: [UFW BLOCK] IN=eth0 OUT=



          whenever iptables does a log entry there is an optional --log-prefix, in this case [UFW BLOCK]. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN is the network interface name that the packet arrived on. The OUT is blank because the packet is not been re-transmitted, which might be the case if this was a router application.



          Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00



          These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".



          Line 4: SRC=77.72.85.26 DST=157.230.26.180



          Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.



          Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP



          Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).



          Line 6: SPT=42772 DPT=3194 WINDOW=1024



          Source port; Detestation port; TCP window size



          Line 7: RES=0x00 SYN URGP=0



          TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.






          share|improve this answer


























          • I could not imagine a better answer, may you have a wonderful day sir! :)

            – Jonas Grønbek
            Feb 6 at 17:10
















          3












          3








          3







          UFW is just a front end for iptables, and so those log entries are actually from iptables.



          Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]



          date and time, your computer name, and kernel time since boot.



          Line 2: [UFW BLOCK] IN=eth0 OUT=



          whenever iptables does a log entry there is an optional --log-prefix, in this case [UFW BLOCK]. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN is the network interface name that the packet arrived on. The OUT is blank because the packet is not been re-transmitted, which might be the case if this was a router application.



          Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00



          These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".



          Line 4: SRC=77.72.85.26 DST=157.230.26.180



          Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.



          Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP



          Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).



          Line 6: SPT=42772 DPT=3194 WINDOW=1024



          Source port; Detestation port; TCP window size



          Line 7: RES=0x00 SYN URGP=0



          TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.






          share|improve this answer















          UFW is just a front end for iptables, and so those log entries are actually from iptables.



          Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]



          date and time, your computer name, and kernel time since boot.



          Line 2: [UFW BLOCK] IN=eth0 OUT=



          whenever iptables does a log entry there is an optional --log-prefix, in this case [UFW BLOCK]. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN is the network interface name that the packet arrived on. The OUT is blank because the packet is not been re-transmitted, which might be the case if this was a router application.



          Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00



          These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".



          Line 4: SRC=77.72.85.26 DST=157.230.26.180



          Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.



          Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP



          Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).



          Line 6: SPT=42772 DPT=3194 WINDOW=1024



          Source port; Detestation port; TCP window size



          Line 7: RES=0x00 SYN URGP=0



          TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Feb 7 at 16:33

























          answered Feb 6 at 17:08









          Doug SmythiesDoug Smythies

          7,28131530




          7,28131530













          • I could not imagine a better answer, may you have a wonderful day sir! :)

            – Jonas Grønbek
            Feb 6 at 17:10





















          • I could not imagine a better answer, may you have a wonderful day sir! :)

            – Jonas Grønbek
            Feb 6 at 17:10



















          I could not imagine a better answer, may you have a wonderful day sir! :)

          – Jonas Grønbek
          Feb 6 at 17:10







          I could not imagine a better answer, may you have a wonderful day sir! :)

          – Jonas Grønbek
          Feb 6 at 17:10




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1116145%2funderstanding-ufw-log%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀