how to interpret mbox firewall logs

mbox uses Linux kernel firewall (iptables) to track access logs. so the log format is inline with standard iptables log format.

Taking an example below (CMG logs sent to LOG):


[106049.329054] mboxfw-permit:IN=br0 OUT=eth0 PHYSIN=eth2 MAC=00:90:0b:34:b4:7f:00:90:0b:3e:05:0c:08:00 SRC= DST= LEN=52 TOS=0x00 PREC=0x00 TTL=60 ID=3868 DF PROTO=TCP SPT=63308 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=


106049.329054 : this is the time of event (in unix format) but it shows readable correctly in GUI and reports.

(Translated time is: 12/5/2016, 12:01:39 AM)

IN=br0: inbound logical interface/network, where user traffic comes in

OUT=eth0: outbound interface/network, where user traffic leaves

PHYSIN=eth2: physical inbound interface, where user traffic comes in (eth2 is part of a bridge group br0)

MAC=00:90:0b:34:b4:7f: destination MAC address

MAC=00:90:0b:3e:05:0c: source MAC address

Type=08:00: ethernet frame (carried an IPv4 datagram)

SRC= source IPv4 address

DST= destination IPv4 address

LEN=52: size of packet (bytes)

TOS=0x00 The Type of Service of the IP packet.

PREC=0x00 The Precedence of the IP packet.

ID=64564 The id of the IP packet.

PROTO=TCP protocol used

SPT=63308 source port

DPT=22 destination port (PROTO=TCP, with DPT=22, it means SSH application)

So if we interpret above log in a layman term, it will be as below (ignoring other minor details):

"At 12/5/2016, 12:01:39 AM, user (with MAC=00:90:0b:3e:05:0c) coming from local network/eth2 tried to connect to remote server using SSH application."