What do UFW's audit log entries mean?

That depend on the line. Usually, it is Field=value.

There is IN, OUT, the ingoing interface, or outgoing ( or both, for packet that are just relayed.

A few of them are:

  • TOS, for Type of service,
  • DST is destination ip,
  • SRC is source ip
  • TTL is time to live, a small counter decremented each time a packet is passed through another router (so if there is a loop, the package destroy itself once to 0)
  • DF is "don't fragment" bit, asking to packet to not be fragmented when sent
  • PROTO is the protocol (mostly TCP and UDP)
  • SPT is the source port
  • DPT is the destination port

etc.

You should take a look at TCP/UDP/IP documentation, where everything is explained in more detailed way that i could ever do.

Let's take the first one, that mean that 176.58.105.134 sent a UDP packet on port 123 for 194.238.48.2. That's for ntp. So i guess someone try to use your computer as a ntp server, likely by error.

For the other line, that's curious, that's traffic on loopback interface ( lo ), ie that's not going anywhere, it goes and comes from your computer.

I would check if something is listening on tcp port 30002 with lsof or netstat.


Set your logging to low to remove the AUDIT messages.

The purpose of AUDIT (from what I'm seeing) is related to the non-default/recommended logging - however, that's a guess, and I can't seem to find anything concrete with that.


On top of what has been said, it is also possible to infer what is going to be logged by inspecting iptables rules. Specifically the matching rules that are being logged can be filtered like this sudo iptables -L | grep -i "log":

ufw-before-logging-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
Chain ufw-after-logging-forward (1 references)
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-after-logging-output (1 references)
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
Chain ufw-before-logging-forward (1 references)
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-logging-allow (0 references)
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
LOG        all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
Chain ufw-user-logging-forward (0 references)
Chain ufw-user-logging-input (0 references)
Chain ufw-user-logging-output (1 references)

Those are for the most part default rules. Inspecting the output above reveals the ufw-before-* chains to generate [UFW AUDIT ..] logs.

I'm not a big expert on iptables and the UFW manual is not very helpful on this but as far as I can tell rules matching this chain sit in /etc/ufw/before.rules.

For example the lines below are allowing loopback connections which might have triggered the last two example lines in your log (the ones starting with [UFW AUDIT] IN=lo)

# rules.before
# ....
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# ....

As for my part, I get a lot of logged LLMNR packets on port 5353:

Mar 17 21:02:21 pc kernel: [133419.183616] [UFW AUDIT] IN=wlp2s0 OUT= MAC= SRC=192.168.1.2 DST=224.0.0.251 LEN=146 TOS=0x00 PREC=0x00 TTL=255 ID=22456 DF PROTO=UDP SPT=5353 DPT=5353 LEN=126

Which I think are caused by the following in rules.before:

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

One way to deactivate those are to do fire up the following:

sudo ufw deny 5353

Tags:

Logging

Firewall

Ufw

Recent Posts