I am watching a Roku box phone home. Initially, I blocked the destination IP address with a firewall rule, then I thought to audit it with an “allow” rule that has event logging enabled. My question is about the log messages generated by a firewall rule.
Is the format documented somewhere?
If not, here is a sample message from the “allow” rule
Apr 15 13:50:35 Allowed CONN=lan SRC=192.168.6.28 DST=18.104.22.168 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55301 DF
PROTO=TCP SPT=54947 DPT=443 WINDOW=5808 RES=0x00 SYN URGP=0 MARK=0x2
The fields that are not self-explanatory for me are
TOS, PREC, ID, DF, WINDOW, RES, SYN, URGP and MARK
The fields that I find self-explanatory are
SRC is source IP, DST is destination IP (not really all 9s), LEN is length, SPT is source port, DPT is destination port, TTL is time to live