What does "SFW2-INext-DROP-DEFLT" in my messages log file mean?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What does "SFW2-INext-DROP-DEFLT" in my messages log file mean?
I'm trying to troubleshoot a flakey network connection on my SuSE 9.2 Pro installation. I've noticed that the most frequent message in my /var/log/messages file, sometimes every few seconds, is the following (the SRC is different every time, the DST is always my static ip address -- which I've deleted below):
Since disabling the firewall a few minutes ago, I no longer get the "SFW2-INext-DROP-DEFLT" messages in my log file, but my network connection is still flakey, so I'm still a long ways from figuring out the solution to my conectivity problem.
Ok.. the port used by the strange log entries is the ntp time protocol..
Still can't tell if it's an originating packet or a reply packet..
Coz src & dest ports are the same, I say it's an originating packet..
I am very surprised iptables-save doesn't exist..
Check the rpm to see if it exists in there or not..
It's a great tool for displaying current rules, much better than just iptables..
for the log_martians..
do cat /proc/sys/net/ipv4/conf/eth0/log_martians
It may be only entered against the interface or default..
/proc/sys/net/ipv4/conf/default/log_martians
iptables-save is one of the programmes in the iptables package..
Ahhh... src & dest ports..
both are port 123..
Usually a client will use a high port >1023 to connect from..
So seeing the same port number and udp protocol suggests that it's not a reply.. maybe a scanning attempt or an improperly set router..
(I'll check my ntp server to see if it synchronises with low ports..)
---added comment Yes, my ntp server uses 123 for a src port..
So it may be a poorly setup ntp server looking for sources to synchronise on..
Can block that on your router if you don't have an ntp server for the public...
----
After reading your previous post about "flakey connections"..
which setup do you have now?
I gather you have an internet ip number, via a hub, which also means via a router somewhere..
You mentioned treating your network as "safe" so I'm not too sure that's true if you have a public ip number..
It makes it difficult to do firewall mods without proper tools if you're public..
Need to be sure you've closed down all unecessary listening daemons before clearing rules out.
Last edited by peter_robb; 12-17-2004 at 01:13 PM.
Originally posted by peter_robb iptables-save is one of the programmes in the iptables package..
Ahhh... src & dest ports..
both are port 123..
Usually a client will use a high port >1023 to connect from..
So seeing the same port number and udp protocol suggests that it's not a reply.. maybe a scanning attempt or an improperly set router..
(I'll check my ntp server to see if it synchronises with low ports..)
---added comment Yes, my ntp server uses 123 for a src port..
So it may be a poorly setup ntp server looking for sources to synchronise on..
Can block that on your router if you don't have an ntp server for the public...
----
Sorry, not sure what it means to have an "ntp server for the public." Is that something I should know?
Quote:
After reading your previous post about "flakey connections"..
which setup do you have now?
I gather you have an internet ip number, via a hub, which also means via a router somewhere..
You mentioned treating your network as "safe" so I'm not too sure that's true if you have a public ip number..
It makes it difficult to do firewall mods without proper tools if you're public..
Need to be sure you've closed down all unecessary listening daemons before clearing rules out.
Yes, I've been assigned a static IP number. There is a router in my building, plus a little hub in my office that allows multiple computers to connect (using different IPs).
I have no idea how to modify the firewall, aside from turning it on & off. It's off at the moment. The network administrators in my building, however, run their own firewall, and I'm currently looking into whether anything they are doing is interfering with my network connectivity. However, a colleague on the same floor also runs SuSE, and he has no connection issues, so it makes me think the issues I'm having aren't related to my network administrators' firewall settings.
Do you have an ntp time server running in your pc or network?
Usually your net admin would block these at the router if you didn't have one..
(In fact any unused services should be blocked at the router..)
do netstat -lnp and look for something listening on port 123 in your pc..
Also please check the MAC address in the logs and see if it matches the MAC address of the router..
do arp -n to list the current MAC addresses your pc recognises.
(The table expires afer 15 mins so not everyone will be in there..)
I am a bit curious about the source of the packets.. there are so many.. and whether they are from outside your net (most likely) or inside spoofed packets..
Also please check cat /proc/sys/net/ipv4/tcp_ecn. It should be 0
This can make the net connection flakey if it is on..
I don't feel too confident seeing a public static ip number without a firewall somewhere.. even if the hacks on linux are very few..
There are many firewall scripts and gui tools to make it easy for you..
The LQ Wiki lists a few.. http://wiki.linuxquestions.org/wiki/Firewall
Originally posted by peter_robb Do you have an ntp time server running in your pc or network?
Usually your net admin would block these at the router if you didn't have one..
(In fact any unused services should be blocked at the router..)
do netstat -lnp and look for something listening on port 123 in your pc..
I grepped the output from that command and 123 doesn't show up anywhere.
Quote:
Also please check the MAC address in the logs and see if it matches the MAC address of the router..
do arp -n to list the current MAC addresses your pc recognises.
(The table expires afer 15 mins so not everyone will be in there..)
There are two entries in that table. They both share enough information with my assigned static IP address that either certainly could be the router. I'll check with my network admin guys to verify that one of them actually is.
Quote:
Also please check cat /proc/sys/net/ipv4/tcp_ecn. It should be 0
This can make the net connection flakey if it is on..
It's 0.
Quote:
I don't feel too confident seeing a public static ip number without a firewall somewhere.. even if the hacks on linux are very few..
There are many firewall scripts and gui tools to make it easy for you..
The LQ Wiki lists a few.. http://wiki.linuxquestions.org/wiki/Firewall
It's true I've temporarily disabled my linux firewall, but my machine resides within a network protected by an outer firewall. The network admin guys opened up port 22 for me so I could get SSH connections going. I'm currently doing some digging to see if the firewall the network admin guys run for the entire group is somehow interfering with my linux box's ability to maintain a stable connection.
Edited to add:
By the way, thanks for all your help. I'm pretty frustrated, and it helps a lot to have someone waaaaaay more knowledgeable than me guiding my search for resolution!
Last edited by TrulyTessa; 12-20-2004 at 12:45 PM.
Ok, I'll kick myself now...
For some reason I've been thinking you have an internet static number on your eth0 rather than a local net number..
Which makes for a good question..
What kind of firewall/router configuration redirects port 123 to your pc?
You don't have an ntp time server on your pc..
Find that MAC address..
Not sure I'm following. What's the difference between an internet static number and a local net number? I have a static IP address assigned to my linux box that no one else uses, ie, if I type that IP address in a web browser on a network-connected machine anywhere, it brings up my linux box's default apache page. I would have thought that was an 'internet static number' but I must be confused...
When I do route -n it brings up four entries. I guess that in order to know which is the router/gateway (and to find out more info about the firewall/router), I'll have to wait for a response from my network admin guys to be sure... Will report back when I know more about that stuff.
With route -n, usually the last number is the gateway..
but it can be recognised by the UG entry in the line..
It's possible to have several gateways too..
eg..
Code:
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
Last edited by peter_robb; 12-22-2004 at 09:30 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.