Check your logs on a regular basis. Firewalls are not 100%
secure - don't trust them too blindly.
A utility fiaif-scan has has been provided along with the
package. This converts logged packets in the syslog into human
# cat /var/log/messages | fiaif-scan
Jun 7 16:01:07: DROP queue=FORWARD(EXT->INT) protocol=TCP \
Jun 7 16:02:22: DROP queue=FORWARD(EXT->INT) protocol=TCP \
Jun 7 16:02:32: SYN queue=INPUT(EXT) protocol=TCP \
Jun 7 16:03:37: DROP queue=FORWARD(EXT->INT) protocol=TCP \
Jun 7 16:04:52: DROP queue=FORWARD(EXT->INT) protocol=TCP \
Lines logged printed in the system log (or ulog if ulogd is enabled),
always means that a packet is dropped. Every linie is prefixed to identify
why the packet was dropped. The prefixes are:
This means that the packet was dropped by a standard rule.
This can be either by the INPUT, FORWARD or OUTPUT rules, or
MAC_DROP or IP_DROP parameters.
This means that the system encountered an packet with an illegal
source or destination.
If this is an error, check the IP, MASK, NET, BCAST parameters.
This is equivelent to DROP, when the target in an INPUT, FORWARD
or OUTPUT rule is REJECT.
Means that IPtables sees the packet as an invalid packet,
and is is associated with no known connection.
This indicates an error in a zone configuration, where no
rules applied to the packet. You should make sure that the INPUT,
FORWARD and OUTPUT rules contains a catch all rule for the
This means that no zones applied to the packet. Usually this is
because the NET parameter for a zone does not cover all possible
IP numbers declared in the WATCH parameter is logged this way.
These packets are not dropped, contrary the statement
- LIMIT_ACCEPT, LIMIT_DROP, LIMIT_REJECT
Any packet matchin a LIMIT rule are logged with this prefix.
Only packets dropped by the rule are logged.
Packets not part of any already esablish tcp connection which does
not carry the SYN tcp flag, is regarded as illegal.
Fiaif contains some validation checks on all packets.
If these validation checks finds packets, which does not conform
to RFC's they are dropped and logged. Examples are XMAS packets
and NULL packets. It usually means that someone is attacking the
Check for upgrades on a regular basis. Everything has bugs - even
this script. When bugs are discovered, they are often fixed before
posted. Being up-to-date on the kernel, iptables, and this script (as
well as many other programs), may prevent crackers from using