Decoding Syslog: Understanding Uncomplicated Firewall (UFW) Logs and Network Security

I usually use UFW in my temporary servers. That means I do use Ubuntu mostly for this purpose. Among with other precautions, I depend on UFW to have a general firewall which works and simple. Here I am going to share an interesting log and decode it to understand some of the behaviours that UFW does when blocking a request.

How to install UFW and configure it initially in Ubuntu?

Install it

# apt update && apt install ufw

After installing before enabling ufw, need to set some default rules. I always want to

Deny all incoming connections

# sudo ufw default deny incoming

Allow outgoing connections by running:

# sudo ufw default allow outgoing

Before enabling UFW, need to ensure that incoming connection in SSH port is allowed. Otherwise, I will be kicked out from server.

# ufw allow ssh

We can now enable UFW.

# ufw enable

What is the relationship of UFW and iptables?

UFW (Uncomplicated Firewall) is a front-end for iptables, which is a powerful firewall administration tool for Linux operating systems. Essentially, UFW provides a simplified interface for managing iptables rules, making it easier for users to configure and maintain firewall settings without directly manipulating iptables commands.

If I check iptables rules now but with log

# iptables -S | grep 'log-'
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "

These are the log rules that UFW automatically added.

Understand A Typical UFW Block Log in Syslog

The log:

Apr 16 17:01:55 FahadsServer kernel: [5364137.987485] [UFW BLOCK] IN=eth0 OUT= MAC=66:db:f0:fb:3f:6e:fe:00:00:00:01:01:08:00 SRC=<SOURCE_IP> DST=<SERVER_IP> LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=49469 DF PROTO=TCP SPT=56972 DPT=53252 WINDOW=65535 RES=0x00 SYN URGP=0

Let's break it down:

  • Apr 16 17:01:55: Timestamp indicating when the event occurred. In this case, it happened on April 16th at 17:01 and 55 seconds.
  • FahadsServer: Hostname or system name. It could be the name of the server or device generating the syslog entry.
  • kernel: Indicates that this log entry originates from the kernel.
  • [5364137.987485]: This is a timestamp in the format of seconds since system boot. It provides precise timing information.
  • [UFW BLOCK]: Indicates that the firewall (in this case, UFW) has blocked a connection attempt.
  • IN=eth0 OUT=: Describes the network interface involved in the connection. "IN" refers to incoming traffic, and "OUT" would typically indicate outgoing traffic. "eth0" is the name of the network interface.
  • MAC=66:db:f0:fb:3f:6e:fe:00:00:00:01:01:08:00: MAC address of the source and destination interfaces. MAC addresses uniquely identify network interfaces.
  • SRC=<SOURCE_IP> DST=<SERVER_IP>: Source and destination IP addresses.
  • LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=49469 DF: IP packet information. LEN indicates the length of the packet in bytes. TOS and PREC specify Type of Service and Precedence. TTL is the Time To Live, indicating how many hops the packet can go through before being discarded. ID is the IP identification field, and DF stands for "Don't Fragment," indicating that the packet should not be fragmented.
  • PROTO=TCP SPT=56972 DPT=53252: Indicates the protocol used (TCP), source port (56972), and destination port (53252) of the connection attempt.
  • WINDOW=65535 RES=0x00 SYN URGP=0: TCP-specific information. WINDOW is the TCP window size, RES is reserved bits, SYN indicates that this packet is part of the TCP handshake, and URGP stands for "Urgent Pointer."

This log entry provides detailed information about a blocked TCP connection attempt from IP address <SOURCE_IP> to IP address <SERVER_IP> on ports 53252.