Appendix C – System Log
179
A typical Default Deny: will thus look similar to the following:
Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1
OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00
SRC=140.103.74.181 DST=12.16.16.36 LEN=60 TOS=0x10 PREC=0x00
TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840
RES=0x00 SYN URGP=0
That is, a packet arriving from the WAN (IN=eth1) and bound for the CyberGuard SG
appliance itself (OUT=<nothing>) from IP address 140.103.74.181
(SRC=140.103.74.181), attempting to go to port 139 (DPT=139, Windows file sharing)
was dropped.
If the packet is traversing the CyberGuard SG appliance to a server on the private
network, the outgoing interface will be eth0, e.g.:
Mar 27 09:52:59 2003 klogd: IN=eth1 OUT=eth0 SRC=140.103.74.181
DST=10.0.0.2 LEN=60 TOS=0x10 PREC=0x00 TTL=62 ID=51683 DF
PROTO=TCP SPT=47044 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Packets going from the private network to the public come in eth0, and out eth1, e.g.:
Mar 27 10:02:51 2003 klogd: IN=eth0 OUT=eth1 SRC=10.0.0.2
DST=140.103.74.181 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=62830 DF
PROTO=TCP SPT=46486 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Creating Custom Log Rules
Additional log rules can be configured to provide more detail if desired. For example, by
analyzing the rules in the Rules menu, it is possible to provide additional log messages
with configurable prefixes (i.e. other than Default Deny:) for some allowed or denied
protocols.
Depending on how the LOG rules are constructed it may be possible to differentiate
between inbound (from WAN to LAN) and outbound (from LAN to WAN) traffic. Similarly,
traffic attempting to access services on the CyberGuard SG appliance itself can be
differentiated from traffic trying to pass through it.
The examples below can be entered on the Command Line Interface (telnet), or into the
Rules Web Management Console web administration pages. Rules entered on the CLI
are not permanent however, so while it may be useful for some quick testing, it is
something to be wary of.