fw monitor -e 'accept (([12:4,b]=9.9.9.9) or ([16:4,b]=9.9.9.9));'Then we have an inside host attempt to go to that IP over port 80. We will see the following output:
[vs_0][fw_9] eth0:i[52]: 10.0.0.1 -> 9.9.9.9 (TCP) len=52 id=6901
TCP: 6437 -> 80 .S.... seq=3d4cd035 ack=00000000
[vs_0][fw_9] eth0:I[52]: 10.0.0.1 -> 9.9.9.9 (TCP) len=52 id=6901
TCP: 6437 -> 80 .S.... seq=3d4cd035 ack=00000000
[vs_0][fw_9] eth1:o[52]: 10.0.0.1 -> 9.9.9.9 (TCP) len=52 id=6901
TCP: 6437 -> 80 .S.... seq=3d4cd035 ack=00000000
[vs_0][fw_9] eth1:O[52]: 11.11.11.11 -> 9.9.9.9 (TCP) len=52 id=6901
TCP: 27030-> 80 .S.... seq=3d4cd035 ack=00000000
eth0means the packet is being processed on the Lan1 interfaceeth0:iindicates this packet is captured pre-inbound ruleseth0:Iindicates this packet is captured post-Inbound ruleseth1indicates the interface the packet will be routed out ofeth1:oindicates the packet was captured pre-outbound ruleseth1:Oindicates the packet was captured post-Outbound rules.UDP: 27030-> 80indicates this packet is a UDP packet with a source port of 27030 and destination port of 80. You can see the source IP has changed due to NAT during the outbound rules..S....indicates this packet has the SYN flag set
Now let’s look at the return packet, the SYN-ACK packet and how it looks coming back through the firewall:
[vs_0][fw_9] eth1:i[52]: 9.9.9.9 -> 11.11.11.11 (TCP) len=52 id=0
TCP: 80 -> 46127 .S..A. seq=8348a727 ack=3d4cd036
[vs_0][fw_9] eth1:I[52]: 9.9.9.9 -> 10.0.0.1 (TCP) len=52 id=0
TCP: 80 -> 6437 .S..A. seq=8348a727 ack=3d4cd036
[vs_0][fw_9] eth0:o[52]: 9.9.9.9 -> 10.0.0.1 (TCP) len=52 id=0
TCP: 80 -> 6437 .S..A. seq=8348a727 ack=3d4cd036
[vs_0][fw_9] eth0:O[52]: 9.9.9.9 -> 10.0.0.1 (TCP) len=52 id=0
TCP: 80 -> 6437 .S..A. seq=8348a727 ack=3d4cd036
.S..A.indicates this packet has the SYN ACK flags set.
Keine Kommentare:
Kommentar veröffentlichen