Shorewall users - Nov 2005 - Timestamp Question

Hi there,

Today I have received a question from one of my customers:

(Server IP address: 60.234.64.14)

"I''ve notices some wierd entries in the shorewall log:

Oct 26 18:38:37 web01 Shorewall:inet2fw:ACCEPT: IN=eth0
OUTMAC=00:11:43:d5:68:11:00:09:7c:36:45:00:08:00  SRC=202.14.216.128
DST=60.234.64.141 LEN=48 TOS=00 PREC=0x00 TTL=55 ID=29976 DF PROTO=TCP
SPT=42043 DPT=80 SEQ=1954454495 ACK=0 WINDOW=49640 SYN URGP=0
Jan  1 12:00:00 web01 Shorewall:fw2inet:DROP: IN= OUT=eth0 MACSRC=60.234.64.141
DST=210.55.12.1 LEN=73 TOS=00 PREC=0x00 TTL=64 ID=51396 CE
DF PROTO=UDP SPT=33254 DPT=53 LEN=53
Jan  1 12:00:00 web01 Shorewall:fw2inet:DROP: IN= OUT=eth0 MACSRC=60.234.64.141
DST=210.55.12.2 LEN=73 TOS=00 PREC=0x00 TTL=64 ID=51396 CE
DF PROTO=UDP SPT=33254 DPT=53 LEN=53
Jan  1 12:00:00 web01 Shorewall:fw2inet:DROP: IN= OUT=eth0 MACSRC=60.234.64.141
DST=210.55.12.1 LEN=73 TOS=00 PREC=0x00 TTL=64 ID=51396 CE
DF PROTO=UDP SPT=33254 DPT=53 LEN=53
Jan  1 12:00:00 web01 Shorewall:fw2inet:DROP: IN= OUT=eth0 MACSRC=60.234.64.141
DST=210.55.12.2 LEN=73 TOS=00 PREC=0x00 TTL=64 ID=51396 CE
DF PROTO=UDP SPT=33254 DPT=53 LEN=53
Oct 26 18:38:37 web01 Shorewall:inet2fw:ACCEPT: IN=eth0
OUTMAC=00:11:43:d5:68:11:00:09:7c:36:45:00:08:00  SRC=202.14.216.128
DST=60.234.64.141 LEN=48 TOS=00 PREC=0x00 TTL=55 ID=29982 DF PROTO=TCP
SPT=42046 DPT=80 SEQ=1955124319 ACK=0 WINDOW=49640 SYN URGP=0

There are entries dated "Jan 1"  and denote traffic originating from
the
server itself

Do you know why the date is wrong?"

I guess, it could be related to a zero timestamp somewhere (unix epoch),
but I am not sure.

Could someone of you guys please shed some light on this?

Many thanks in advance,

Holger



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

On Thursday 03 November 2005 21:17, Holger (Woosh) wrote:
>
> There are entries dated "Jan 1"  and denote traffic originating
from the
> server itself
>
> Do you know why the date is wrong?"
>
> I guess, it could be related to a zero timestamp somewhere (unix epoch),
> but I am not sure.
>
I''m guessing the same but that''s all I can add. Are you
logging through
syslogd or ulogd?

Sorry,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi Tom,

I am using ulogd.

Where do the timestamps come from, anyway? (packets, shorewall, logger?)

Many thanks,

Holger
> On Thursday 03 November 2005 21:17, Holger (Woosh) wrote:
> 
> 
>>There are entries dated "Jan 1"  and denote traffic
originating from the
>>server itself
>>
>>Do you know why the date is wrong?"
>>
>>I guess, it could be related to a zero timestamp somewhere (unix epoch),
>>but I am not sure.
>>
> 
> 
> I''m guessing the same but that''s all I can add. Are you
logging through
> syslogd or ulogd?
> 
> Sorry,
> -Tom


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

On Friday 04 November 2005 13:14, Holger (Woosh) wrote:
> Hi Tom,
>
> I am using ulogd.
>
> Where do the timestamps come from, anyway? (packets, shorewall, logger?)
>
Once ''shorewall start'' is finished, there is no Shorewall code
running in your
system at all (you can learn this obscure fact by reading the Shorewall home 
page -- second paragraph in the section entitled "What is
Shorewall?"). So
you can eliminate Shorewall as a source of missing or corrupted timestamps in 
Netfilter-generated log messages that are formatted by ulogd.

A quick look at the code suggests that the message passed from the kernel to 
ulogd via a NETLINK socket contains a timestamp which ulogd translates into a 
time of day.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Friday 04 November 2005 13:42, Tom Eastep wrote:
> A quick look at the code suggests that the message passed from the kernel
> to ulogd via a NETLINK socket contains a timestamp which ulogd translates
> into a time of day.
Here''s a post that bears on this problem -- Harald wrote the ULOG
Netfilter
code and ulogd -- note that he says that he can understand it happening on 
OUTPUT traffic but doesn''t explain.

http://lists.gnumonks.org/pipermail/ulogd/2005-June/000770.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Friday 04 November 2005 13:49, Tom Eastep wrote:
> On Friday 04 November 2005 13:42, Tom Eastep wrote:
> > A quick look at the code suggests that the message passed from the
kernel
> > to ulogd via a NETLINK socket contains a timestamp which ulogd
translates
> > into a time of day.
>
> Here''s a post that bears on this problem -- Harald wrote the ULOG
Netfilter
> code and ulogd -- note that he says that he can understand it happening on
> OUTPUT traffic but doesn''t explain.
>
> http://lists.gnumonks.org/pipermail/ulogd/2005-June/000770.html
>
Ah -- I''ve found code in 2.6.14 ipt_ULOG.c that sets timestamp if it
happens
to be zero. That code is missing in 2.4.31.

What kernel version are you running?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> Once ''shorewall start'' is finished, there is no Shorewall
code running in your
> system at all (you can learn this obscure fact by reading the Shorewall
home
> page -- second paragraph in the section entitled "What is
Shorewall?").
I am aware of this fact (honestly, I have read the docs... at least in
parts), but simply asked before thinking about it.

Please have mercy with me poor overworked IT soul....


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

> Here''s a post that bears on this problem -- Harald wrote the ULOG
Netfilter
> code and ulogd -- note that he says that he can understand it happening on 
> OUTPUT traffic but doesn''t explain.
> 
> http://lists.gnumonks.org/pipermail/ulogd/2005-June/000770.html
Great, this gives us a hint where to look further.

Many thanks for your help, Tom!

Holger


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

> Ah -- I''ve found code in 2.6.14 ipt_ULOG.c that sets timestamp if
it happens
> to be zero. That code is missing in 2.4.31.
> 
> What kernel version are you running?
2.6.12.5 #4 SMP

Hmmm, I should do a diff between ipt_ULOG.c in 2.6.14 and 2.6.12.5
and see what I find...

Cheers, again!

Holger

(So many interesting things - and only 24 hours per day)


-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

On Friday 04 November 2005 14:26, Holger (Woosh) wrote:
> > Ah -- I''ve found code in 2.6.14 ipt_ULOG.c that sets
timestamp if it
> > happens to be zero. That code is missing in 2.4.31.
> >
> > What kernel version are you running?
>
> 2.6.12.5 #4 SMP
>
> Hmmm, I should do a diff between ipt_ULOG.c in 2.6.14 and 2.6.12.5
> and see what I find...
>
The code I''m referring to is in 2.6.11 so I assume it is in 2.6.12.5.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key