Understanding UFW log

firewall log logging ufw

What does this UFW log mean? Has already asked a similar question, but I want to know explicitly what each line of the UFW log means

Feb  6 16:27:08 jonasgroenbek kernel: [71910.873115] 
[UFW BLOCK] IN=eth0 OUT= 
MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00 
SRC=77.72.85.26 DST=157.230.26.180
LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP 
SPT=42772 DPT=3194 WINDOW=1024                        
RES=0x00 SYN URGP=0

For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.


Solution 1:

UFW is just a front end for iptables, and so those log entries are actually from iptables.

Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]

date and time, your computer name, and kernel time since boot.

Line 2: [UFW BLOCK] IN=eth0 OUT=

whenever iptables does a log entry there is an optional --log-prefix, in this case [UFW BLOCK]. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN is the network interface name that the packet arrived on. The OUT is blank because the packet is not been re-transmitted, which might be the case if this was a router application.

Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00

These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".

Line 4: SRC=77.72.85.26 DST=157.230.26.180

Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.

Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP

Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).

Line 6: SPT=42772 DPT=3194 WINDOW=1024

Source port; Detestation port; TCP window size

Line 7: RES=0x00 SYN URGP=0

TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.

Related

Smartphones and Ubuntu [closed]
Search for a string recursively whilst in current directory
Using grep to search texts with single quote?
How can I fix “setenv command not found ” error ? (Ubuntu 12.04.4)
Apache2 does not reload/restart (org.freedesktop.PolicyKit1 error)
Cinnamon session crashing login from greeter
How to save font choice in gVim?
How to find the version of an Ubuntu machine remotely?
How to convert LaTeX equations to SVG?
Where to install software and executables for all users
Convert PDF to image
How can I compress an mp3 file?