Understanding log messages for firewall rule


#1

Hello,
I am watching a Roku box phone home. Initially, I blocked the destination IP address with a firewall rule, then I thought to audit it with an “allow” rule that has event logging enabled. My question is about the log messages generated by a firewall rule.
Is the format documented somewhere?

If not, here is a sample message from the “allow” rule

Apr 15 13:50:35 Allowed CONN=lan SRC=192.168.6.28 DST=99.99.99.99 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55301 DF
PROTO=TCP SPT=54947 DPT=443 WINDOW=5808 RES=0x00 SYN URGP=0 MARK=0x2

The fields that are not self-explanatory for me are
TOS, PREC, ID, DF, WINDOW, RES, SYN, URGP and MARK

The fields that I find self-explanatory are
SRC is source IP, DST is destination IP (not really all 9s), LEN is length, SPT is source port, DPT is destination port, TTL is time to live

Thank you.
Michael


#2

Hi Michael,

Thanks for bringing up this. I do agree certain info shouldn’t show up in the firewall log to avoid the misinterpretation. We will revise the content of firewall logging to make it in the simple and readable format.