Hello,
I am watching a Roku box phone home. Initially, I blocked the destination IP address with a firewall rule, then I thought to audit it with an “allow” rule that has event logging enabled. My question is about the log messages generated by a firewall rule.
Is the format documented somewhere?
If not, here is a sample message from the “allow” rule
Apr 15 13:50:35 Allowed CONN=lan SRC=192.168.6.28 DST=99.99.99.99 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55301 DF
PROTO=TCP SPT=54947 DPT=443 WINDOW=5808 RES=0x00 SYN URGP=0 MARK=0x2
The fields that are not self-explanatory for me are
TOS, PREC, ID, DF, WINDOW, RES, SYN, URGP and MARK
The fields that I find self-explanatory are
SRC is source IP, DST is destination IP (not really all 9s), LEN is length, SPT is source port, DPT is destination port, TTL is time to live
Thank you.
Michael