What do UFW's audit log entries mean?

firewall logging ufw

26,073

Solution 1

Set your logging to low to remove the AUDIT messages.

The purpose of AUDIT (from what I'm seeing) is related to the non-default/recommended logging - however, that's a guess, and I can't seem to find anything concrete with that.

Solution 2

That depend on the line. Usually, it is Field=value.

There is IN, OUT, the ingoing interface, or outgoing ( or both, for packet that are just relayed.

A few of them are:

TOS, for Type of service,
DST is destination ip,
SRC is source ip
TTL is time to live, a small counter decremented each time a packet is passed through another router (so if there is a loop, the package destroy itself once to 0)
DF is "don't fragment" bit, asking to packet to not be fragmented when sent
PROTO is the protocol (mostly TCP and UDP)
SPT is the source port
DPT is the destination port

etc.

You should take a look at TCP/UDP/IP documentation, where everything is explained in more detailed way that i could ever do.

Let's take the first one, that mean that 176.58.105.134 sent a UDP packet on port 123 for 194.238.48.2. That's for ntp. So i guess someone try to use your computer as a ntp server, likely by error.

For the other line, that's curious, that's traffic on loopback interface ( lo ), ie that's not going anywhere, it goes and comes from your computer.

I would check if something is listening on tcp port 30002 with lsof or netstat.

Solution 3

On top of what has been said, it is also possible to infer what is going to be logged by inspecting iptables rules. Specifically the matching rules that are being logged can be filtered like this sudo iptables -L | grep -i "log":

ufw-before-logging-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
Chain ufw-after-logging-forward (1 references)
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-after-logging-output (1 references)
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
Chain ufw-before-logging-forward (1 references)
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-logging-allow (0 references)
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
LOG        all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
Chain ufw-user-logging-forward (0 references)
Chain ufw-user-logging-input (0 references)
Chain ufw-user-logging-output (1 references)

Those are for the most part default rules. Inspecting the output above reveals the ufw-before-* chains to generate [UFW AUDIT ..] logs.

I'm not a big expert on iptables and the UFW manual is not very helpful on this but as far as I can tell rules matching this chain sit in /etc/ufw/before.rules.

For example the lines below are allowing loopback connections which might have triggered the last two example lines in your log (the ones starting with [UFW AUDIT] IN=lo)

# rules.before
# ....
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# ....

As for my part, I get a lot of logged LLMNR packets on port 5353:

Mar 17 21:02:21 pc kernel: [133419.183616] [UFW AUDIT] IN=wlp2s0 OUT= MAC= SRC=192.168.1.2 DST=224.0.0.251 LEN=146 TOS=0x00 PREC=0x00 TTL=255 ID=22456 DF PROTO=UDP SPT=5353 DPT=5353 LEN=126

Which I think are caused by the following in rules.before:

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

One way to deactivate those are to do fire up the following:

sudo ufw deny 5353

26,073

Tom

Updated on September 18, 2022

Comments

Tom over 1 year

I'm sometimes getting a lot of these AUDIT log entries in

...

[UFW AUDIT] IN= OUT=eth0 SRC=176.58.105.134 DST=194.238.48.2 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=32137 DF PROTO=UDP SPT=36231 DPT=123 LEN=56
[UFW ALLOW] IN= OUT=eth0 SRC=176.58.105.134 DST=194.238.48.2 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=32137 DF PROTO=UDP SPT=36231 DPT=123 LEN=56
[UFW AUDIT] IN= OUT=lo SRC=192.168.192.254 DST=192.168.192.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54579 DF PROTO=TCP SPT=59488 DPT=30002 WINDOW=32792 RES=0x00 SYN URGP=0
[UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.192.254 DST=192.168.192.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=54579 DF PROTO=TCP SPT=59488 DPT=30002 WINDOW=32792 RES=0x00 SYN URGP=0
[UFW AUDIT] IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=192.168.192.254 DST=192.168.192.254 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4319 DF PROTO=TCP SPT=59489 DPT=30002 WINDOW=32792 RES=0x00 SYN URGP=0

...

What is the meaning of this? When do they occur and why? Should and can I disable these specific entries? I do not wish to disable UFW logging, but I'm not sure whether these lines are useful at all.

Note that this does not actually occur in /var/log/ufw.log. It only occurs in /var/log/syslog. Why is this the case?

More info

my logging is set to medium: Logging: on (medium)

Tom almost 12 years

Thank you. Port 30002 is a mongodb arbiter running. I don't know anything about ntp though, should I be worried?
Misc almost 12 years

No. NTP is just to set time, you likely already used without knowing ( when you check "use network to sync time" in gnome, it use ntp ). It just sync time across a network. Maybe the ip was part of the global pool of ntp network ( pool.ntp.org/fr ), hence the request from someone on the internet ?
MUY Belgium over 6 years

Level of log is in the option menu.
jrg over 6 years

@MUYBelgium options menu of what tool?