Monitoring router firewall logs, how to work out what's doing what?
I have a Zyxel Prestige ADSL router which does my NAT and is also a firewall. I'm fairly happy that I have the firewall set up correctly, however I'd like to be able to interpret what I'm seeing in the router logs. For example over the past few minutes I see lines like the following and some of them I don't really understand what's talking to what. Aug 10 12:30:31 zyxel RAS: src="192.168.13.3:137" dst="192.168.13.255:137" msg="Firewall default policy: UDP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control" OK, this is a Win2k computer on my LAN talking to the ISDN router, I can understand this. (The ISDN router is there for historical reasons, it's not used at the moment) Aug 10 12:31:16 zyxel RAS: src="192.168.13.44" dst="224.0.0.251" msg="Firewall default policy: IGMP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control" This is from a networked HP 7310 printer but I don't understand the dst address, where does 224.0.0.251 come from? It has no relation to my 192.168.13.xx subnet. Aug 10 12:31:16 zyxel RAS: src="192.168.13.44" dst="224.0.1.60" msg="Firewall default policy: IGMP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control" This (again from the printer) always appears immediately after the other printer one. Another 224.0.x.x destination. Aug 10 12:33:34 zyxel RAS: src="61.55.188.229:3381" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control" Now this I don't follow, it's from the 'outside' to the Zyxel router (I have the static IP 84.51.144.229 from my ISP). Is this a probe of some sort? The port numbers seem rather odd. Should the router be telling me what it's doing with this, e.g. is it blocked/refused? Aug 10 12:34:26 zyxel RAS: src="82.76.43.200:1627" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control" Another similar one. Aug 10 12:34:54 zyxel RAS: src="192.168.13.1:32978" dst="200.23.51.205:123" msg="Firewall default policy: UDP (L to W)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control" This is my Linux box talking to cronos.cenam.mx, by the sound of the name it's probably asking what the time is using NTP. Yes, that's it, 123 is the NTP protocol, so I'm happy with this one. Aug 10 12:34:59 zyxel RAS: src="218.94.232.240:2611" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control" Another one to port 1433, which turns out to be "#Microsoft-SQL-Server" what on earth does this suggest? -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Green <chris@areti.co.uk> wrote:
I have a Zyxel Prestige ADSL router which does my NAT and is also a firewall.
I'm fairly happy that I have the firewall set up correctly, however I'd like to be able to interpret what I'm seeing in the router logs.
For example over the past few minutes I see lines like the following and some of them I don't really understand what's talking to what.
Aug 10 12:30:31 zyxel RAS: src="192.168.13.3:137" dst="192.168.13.255:137" msg="Firewall default policy: UDP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
OK, this is a Win2k computer on my LAN talking to the ISDN router, I can understand this. (The ISDN router is there for historical reasons, it's not used at the moment)
Aug 10 12:31:16 zyxel RAS: src="192.168.13.44" dst="224.0.0.251" msg="Firewall default policy: IGMP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
This is from a networked HP 7310 printer but I don't understand the dst address, where does 224.0.0.251 come from? It has no relation to my 192.168.13.xx subnet.
lalala, the 224.0.0.0/24 [1] range is for "well known multicast addresses", your printer is probably just announcing itself to the network.
Aug 10 12:31:16 zyxel RAS: src="192.168.13.44" dst="224.0.1.60" msg="Firewall default policy: IGMP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
This (again from the printer) always appears immediately after the other printer one. Another 224.0.x.x destination.
Aug 10 12:33:34 zyxel RAS: src="61.55.188.229:3381" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
OK - now this one is a Globally Scoped multicast address [1]... the printer really is trying to make itself known...
Now this I don't follow, it's from the 'outside' to the Zyxel router (I have the static IP 84.51.144.229 from my ISP). Is this a probe of some sort? The port numbers seem rather odd. Should the router be telling me what it's doing with this, e.g. is it blocked/refused?
Aug 10 12:34:26 zyxel RAS: src="82.76.43.200:1627" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
Another similar one.
Aug 10 12:34:54 zyxel RAS: src="192.168.13.1:32978" dst="200.23.51.205:123" msg="Firewall default policy: UDP (L to W)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
This is my Linux box talking to cronos.cenam.mx, by the sound of the name it's probably asking what the time is using NTP. Yes, that's it, 123 is the NTP protocol, so I'm happy with this one.
Yup - sounds fine.
Aug 10 12:34:59 zyxel RAS: src="218.94.232.240:2611" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
Another one to port 1433, which turns out to be "#Microsoft-SQL-Server" what on earth does this suggest?
Suggests that there's a bug in SQL server and people are trying to exploit it. Looking at the messages, I'd expect ACCESS FORWARD to mean that it looks it up to forward it, unless you've got it set up with a DMZ machine that it forwards everything to... the message isn't overly clear on wether or not it's blocking the packet or accepting them, I'd assume, looking at it, that it was accepting them, but they might get no further than that, depending on if they were redirected or anything. Probably worth looking at the handbook to see if it outlines how to interpret the logs. [1] http://www.tcpipguide.com/free/t_IPMulticastAddressing.htm Thanks, - -- Brett Parker web: http://www.sommitrealweird.co.uk/ email: iDunno@sommitrealweird.co.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC+e5rEh8oWxevnjQRAsd8AKCfie/TaGZ+hUuerofiCZuRqme3xACfQjuB 4SQPq12RN2ziYEFieFZ7HC4= =mly2 -----END PGP SIGNATURE-----
On Wed, Aug 10, 2005 at 01:09:15PM +0100, Brett Parker wrote:
Aug 10 12:33:34 zyxel RAS: src="61.55.188.229:3381" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
OK - now this one is a Globally Scoped multicast address [1]... the printer really is trying to make itself known...
OK, so this is alright, just the printer telling the world about itself.
Aug 10 12:34:59 zyxel RAS: src="218.94.232.240:2611" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
Another one to port 1433, which turns out to be "#Microsoft-SQL-Server" what on earth does this suggest?
Suggests that there's a bug in SQL server and people are trying to exploit it. Looking at the messages, I'd expect ACCESS FORWARD to mean that it looks it up to forward it, unless you've got it set up with a DMZ machine that it forwards everything to... the message isn't overly clear on wether or not it's blocking the packet or accepting them, I'd assume, looking at it, that it was accepting them, but they might get no further than that, depending on if they were redirected or anything. Probably worth looking at the handbook to see if it outlines how to interpret the logs.
Thanks, I'll have a dig around in the router documentation to see if I can get it to tell me more (or to understand better what it is telling me). It would be good if I can filter out the innocuous traffic and leave only unknown/suspicious items. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
On 8/10/05, Chris Green <chris@areti.co.uk> wrote:
I have a Zyxel Prestige ADSL router which does my NAT and is also a firewall.
I'm fairly happy that I have the firewall set up correctly, however I'd like to be able to interpret what I'm seeing in the router logs.
Aug 10 12:31:16 zyxel RAS: src="192.168.13.44" dst="224.0.0.251" msg="Firewall default policy: IGMP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
This is from a networked HP 7310 printer but I don't understand the dst address, where does 224.0.0.251 come from? It has no relation to my 192.168.13.xx subnet.
Aug 10 12:31:16 zyxel RAS: src="192.168.13.44" dst="224.0.1.60" msg="Firewall default policy: IGMP (L to L/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"
This (again from the printer) always appears immediately after the other printer one. Another 224.0.x.x destination.
224.0.0.* is "IANA Special Use". MCAST, possibly. You probably want to turn down the amount of reporting for normal traffic, but the messages about IP addresses outside your network trying to connect to other devices outside of the network is a bit worrying. Hope this helps, Tim.
participants (3)
-
Brett Parker -
Chris Green -
Tim Green