General Questions

Hey,
I have searched long and hard for this but I cannot seem to find any info relating to the syslog messages and exactly what each piece of information means.
I am getting a lot of blocked packets from one particular IP to a service that is allowed and that it does usually connect to.

Can anyone tell me what each part of the destination in the syslog message means please? i.e. the info after -> 
Obviously we have Destination IP, followed by the port number. what does PR mean? then tcp is obvious, then the rest of it makes no sense to me what so ever.

thanks

Chris


Date/Time,Priority,Hostname,Message
Sep 08 05:14:17 AM,Local0.Warning,192.168.124.1,ep  8 17:14:17 ipmon[127]: 17:14:17.684494 vr1 @0:29 b 209.171.43.20,38869 -> 172.16.11.20,22 PR tcp len 20 1420 -A IN OOW NAT

OK, so i am starting to get somewhere. This website has been very useful.

http://docs.sun.com/app/docs/doc/816-5166/ipmon-1m?l=en&a=view

it basically explains all of it, apart from the final few entries, which I'd like to know as well.  You can search for ipmon logging or ipfilter logging. I believe m0n0wall is using version 3.x

Just quickly then, all fields are seperated by a space. 
So the first field is the interface.  vr1
2nd field is the rule number and group number @200:8
3rd is p or b for pass or block. (There are others as well) p
4th is 3 parts source,port -> destination,port
5th is PR (Protocol) then TCP/UDP/ICMP etc
6th is the packet header length and complete length 20 for the header and 48 for the full length.
7th is the FLAG. -S SYN in this case.

vr1 @200:8 p 209.171.43.20,43759 -> 172.16.11.20,22 PR tcp len 20 48 -S K-S IN NAT

Then the rest I still cannot find, in this message I have K-S IN NAT, in other messages which get blocked I have IN OOW which I'd like to know as well.
Hopefully someone who knows can help.

Cheers

Chris

  A quick search indicates OOW is "out-of-window" and K-S is "keep state".  Are there other relevant entries preceding or following the OOW that you haven't posted?  If there aren't other entries, then perhaps creating a firewall rule that specifically passes and logs all packets from that IP might help in the diagnosis?

  Are you using 1.32?  My searches turned up some mention of an OOW bug in some older versions, but I thought it was fixed in 1.32?  Does this thread describe anything similar to your problem? http://www.mail-archive.com/ipfilter@coombs.anu.edu.au/msg07225.html

KuoH

Hey,

Thanks for your reply. Yeah that does seem pretty similar. When using SFTP a few clients are getting kicked off, but only a few most other people are fine all the time.
I did manage to find out about the OOW but not the K-S. Thanks for that.

there aren't any other logs of significance from that IP before or after the dropped connections. I have everything being logged on my firewall. I could create a new log rule though specifically for this IP.

I am running 1.3 on a generic PC. I didn't realise a new version was available. i was of the understanding no more development was to be done on M0n0wall. I will get the new version loaded over the weekend and report back.

Thanks for your help.

Chris