Can anyone tell me what my log means

Discussion in 'LnS English Forum' started by Rilla927, Nov 9, 2005.

Thread Status:
Not open for further replies.
  1. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi all!

    I just installed LNS and may need some help configuring rules according to my log. Any help will be appreciated, thanks.
     

    Attached Files:

    • Log2.png
      Log2.png
      File size:
      22.8 KB
      Views:
      122
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Do you have UPnP enabled on the router? Any other settings for multicast pass through?

    Regards,

    CrazyM
     
  3. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi CrazyM,

    I don't see a UPnP when I look at the settings for Router. Here is what I have enabled for Outbound Control: HTTP, HTTPS, FTP, SMTP, DNS, POP3, IMAP, NNTP, H323, All Other Protocols.

    For Inbound: Remote Management, NetBIOS- These are disabled or not checked.

    Under Security I have Stealth Mode, Block Ping, Strict UDP Session Control.

    I installed Secure It & Harden It to recommended settings right after I installed the OS and if I remember correctly it disables UPnP because it's unsafe.

    Someone mentioned DNS Rules. I thought maybe I just had to make a rule of some sort, maybe not necessarily DNS for the router, because it shows up in the log so it's obviously getting through, but needs some adjustment. But, I'm not familiar with this FW, I'm just guessing.

    If you need more info let me know. Thanks for your help.
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi Rilla927,

    If you don't have a lot of alerts, and if all your applications are working fine, probably there is nothing else to configure, Look 'n' Stop is simply blocking some packets that are not useful.

    If you have a lot of alerts and evuthing works fine though, eventually you can remove the sound for the alerts, or completely not log the packets for these alerts.

    For the DLL entries, you manually configured it to be logged in the DLL configuration. You can put again yet No log if there are a lot of alerts for this DLL.

    Frederic
     
  5. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I'd say 90% of my log is constantly filled with the alerts from my 2WIRE Modem/Router Type 3 Code 4. What does this alert mean? I hope it's not blocking my Router. Do I need to make some sort of rule so the alerts stop? The parenthesis you see in log, but can't see the word, is Nukes. ICMP: All ICMP types (....Nukes)

    As for the DLL configuration; what should be logged here?;)

    Thanks as always Frederic
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    type 3 - Destination Unreachable
    code 4 - Fragmentation Needed and Don't Fragment was Set
    "... occurs when a router receives a datagram that requires fragmentation, but the don't fragment (DF) flag is turned on in the IP header." TCP IP Illustrated, Volume 1

    You could create a rule to permit these from your router.

    To determine why you may be seeing so many:
    What type of connection do you have?
    Are you doing anything in particular when these show up?
    Are you seeing any impact on what you are doing, slow downs?
    Have you anything in place that could be affecting fragmented packets, setting the DF bit, MTU?

    If you Google "Fragmentation Needed and Don't Fragment was Set" or "Path MTU Discovery" you should find lots of information and things to consider for trouble shooting this.

    Regards,

    CrazyM
     
  7. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710

    Does that mean I should turn DF flag off? I'm assuming since type 3 is Destination Unreachable means that the router can't talk to LNS and vice/versa.
    How would you create such a rule?
    Local Area Connection. I hope that's the answer you were looking for.
    No. I installed LNS with what ever all the defaults are and made no changes what so ever. I'd say 90% of the log from the time of installation is about the router. The OS and all softwares, browsers were installed fresh prior to this. I didn't see a problem with the apps either.
    Now that you have mentioned this, it brings to light; prior to the install of LNS, Firefox and Opera were as fast as lightening, and then after the install of LNS FF and Opera came to a crawl. In fact, I was so frustrated, I had to use another computer. I never though about it being related.
    I'm sorry CrazyM, but can you explain in lamin terms? What would I be looking for that would affect the fragmented packets, setting DF bit, MTU?
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    As I commented in the Other firewalls forum, possible culprits could be Secure It and Harden It, as the ICMP error message has to do with fragmented packets. Disabling their settings (go back to system defaults) would be a first step in troubleshooting why these error messages are now showing up.

    Regards,

    CrazyM
     
  9. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I will try that and when I'm done I will get back to you, thanks.
     
Thread Status:
Not open for further replies.