Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 9518 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rule IDs and Descriptions

DouglasFoster

Somewhere, I found this grid that machines Firewall Rule IDs (from the Firewall and ATP logs) to a description, but I cannot remember where.   

After reviewing my log data, I realize that I am missing descriptions for at least these IDs: 1,12,17,18,60023,63001

(63001 is associated with ATP, not Firewall Rules.)

Does anyone have the rest of the list?

Here is what I have so far, in CSV format

fwrule,IptablesChain,Description,Target
60001,filter:INPUT,Input Default Drop,LOGDROP
60002,filter:FORWARD,Forward Default Drop,LOGDROP
60003,fitler:OUTPUT,Output Default Drop,LOGDROP
60004,filter:AUTO_INPUT,Forbidden SSH connects,LOGDROP
60005,filter:AUTO_INPUT,Forbidden WebAdmin Contacts,LOGDROP
60006,filter:AUTO_INPUT,Allowed WebAdmin connects,LOGACCEPT
60007,filter:INVALID_PKT,Drop invalid packets,LOGDROP
60008,filter:SPOOF_DROP,Drop spoofed packets,LOGDROP
60009,NULLfilter:STRICT_TCP_STATE,Drop packets with suspicious tcp state,LOGDROP
60010,angle:PREROUTING,Log FTP data connections,LOG
60011,mangle:PREROUTING,NULLLog DNS requests,LOG
60012,raw:PREROUTING,Drop SYN_FLOOD attempts,LOG and DROP
60013,raw:PREROUTING,Drop UDP_FLOOD attempts,LOG and DROP
60014,raw:PREROUTING,Drop ICMP_FLOOD attempts,LOG and DROP
60015,mangle:PREROUTING,ICMP invalid pkt,LOG and DROP
60016,mangle:PREROUTING,ICMP Redirect,LOG
60017,filter:PSD_ACTION,Portscan detected,LOGDROP/LOGACCEPT
60018,mangle:FORWARD,SIP call,LOG
60019,mangle:SANITYCHECK,License Usage Exceeded (Active IPs),LOG and DROP
60020,mangle:FORWARD,H323 call,LOG
60021,"nat:USR_PRE, USR_POST or USR_OUTPUT",Connection using NAT,LOG

Also, I am seeing these relationships between ITMIDs and FWRULEIDs.   The data makes more sense when the two codes are seen together.   For example, an IP blocked by Country Blocking hits firewall rule 60019.   There is not really a licensing problem.

Itmid,ItmName,itmfwrule,description
2001,Packet dropped,12,
2001,Packet dropped,60001,Input Default Drop
2001,Packet dropped,60005,Forbidden WebAdmin Contacts
2001,Packet dropped,60023,
2001,Packet dropped,60003,Output Default Drop
2002,Packet accepted,17,
2002,Packet accepted,18,
2003,Packet rejected,17,
2009,ICMP redirect,60016,ICMP Redirect
2017,AFC Alert,1,
2021,Packet dropped (GEOIP),60019,License Usage Exceeded (Active IPs)
2022,Packet dropped (ATP),63001,



This thread was automatically locked due to age.
Parents
  • 0

    These are the links I use, Doug:

    Packetfilter logfiles on the Sophos UTM

    A Guide to Logfiles and Output

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks, Bob.

    I have inferred that the low-numbered rules are referring to the sequence numbers for the rules that appear in the Firewall Rules user interface.   This actually makes sense, but the downside is that the sequence changes when rules are added or removed, so the pointer is only valid if your rules are stable.   For the paranoid, this means that you are architecturally limited to 60000 manual and automatic rules.   I think that will be enough for most of us.  :)

  • 0 in reply to DouglasFoster

    It's for this reason that I like to leave disabled "test" rules spread around the rule set.  At least 4 at the top and then one after every two rules.  That lets me add new rules if necessary, but it also lets me do experiments without changing the numbering in the Firewall log file.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to DouglasFoster

    It's for this reason that I like to leave disabled "test" rules spread around the rule set.  At least 4 at the top and then one after every two rules.  That lets me add new rules if necessary, but it also lets me do experiments without changing the numbering in the Firewall log file.

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML