Understanding UFW log
UFW is just a front end for iptables, and so those log entries are actually from iptables.
Line 1: Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115]
date and time, your computer name, and kernel time since boot.
Line 2: [UFW BLOCK] IN=eth0 OUT=
whenever iptables does a log entry there is an optional --log-prefix
, in this case [UFW BLOCK]
. The seriously annoying thing about UFW is that it uses the same prefix for every type of log entry, making it difficult to correlate back to the iptables rule set. The IN
is the network interface name that the packet arrived on. The OUT
is blank because the packet is not been re-transmitted, which might be the case if this was a router application.
Line 3: MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00
These are the Machine Address Codes for the local area destination (a6:8d:e2:51:62:4c (eth0)) and source (f0:4b:3a:4f:80:30) network interface cards. In your case the source is probably the MAC of your ISP gateway NIC. 6 bytes each. The extra 2 bytes (08:00) at the end are the frame type, in this case it means "ethernet frame carried an IPv4 datagram".
Line 4: SRC=77.72.85.26 DST=157.230.26.180
Those are the IP addresses for where the packet came from, SRC, and where is it supposed to going, DST and should be your IP address.
Line 5: LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP
Length of the payload portion of the raw packet; Type of service, Presedence, Time to live (how many hops left before the packet will die from too many hops); Identification; Protocol (in this case TCP).
Line 6: SPT=42772 DPT=3194 WINDOW=1024
Source port; Detestation port; TCP window size
Line 7: RES=0x00 SYN URGP=0
TCP flags, the important one here is "SYN" meaning it it attempting to make a NEW connection. This log entry means the attempt has been blocked.
Related videos on Youtube
Jonas Grønbek
Updated on September 18, 2022Comments
-
Jonas Grønbek over 1 year
What does this UFW log mean? Has already asked a similar question, but I want to know explicitly what each line of the UFW log means
Feb 6 16:27:08 jonasgroenbek kernel: [71910.873115] [UFW BLOCK] IN=eth0 OUT= MAC=a6:8d:e2:51:62:4c:f0:4b:3a:4f:80:30:08:00 SRC=77.72.85.26 DST=157.230.26.180 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=62215 PROTO=TCP SPT=42772 DPT=3194 WINDOW=1024 RES=0x00 SYN URGP=0
For my (and hopefully others) feasibility, I would very much like each individual part being described shortly.
-
xperator over 2 yearsThanks a lot for this line by line explanation. I was having some trouble figuring out why
netdata
was sending me notifications that the server was dropping packets. Now I kinda understand where they coming from. Which seem to be a bot randomly checking for open ports and such. I'm glad ufw firewall has blocked them, but not exactly sure why further actions I need to take. -
theberzi about 2 years@xperator If you have no reason to allow the bot's behaviour, there's nothing more you need to do. UFW is already blocking the attempts, which is why you're getting those log entries, and it means you're safe.