WHAT'S A FALSE ALARM

Firewall software blocks and typically logs network activity it sees as 'suspicious'. This interpretation is defined by the firewall's configuration. This works well as long as the firewall has been carefully designed and programmed, and properly configured by whoever is using it.

Sometimes, a firewall reports something that is not an attack.
A 'paranoid' firewall will be set off and alert the user to an 'attack' when it simply sees network traffic that it does not recognize. Almost as often, the firewall software will 'guess' at what's happening, and report it to the user as fact.This problem is particularly common with personal firewalls. For example, a firewall reported that the IP address 204.83.142.2 is repeatedly connecting on port 53. This is normal traffic: it's the Access Communications DNS server responding to your own computer. A second common problem is that of a novice or inexperienced user setting up and trying to use firewall software with no idea or previous experience as to how it works or even what it's protecting them from. An understanding of the underlying principles of TCP/IP and UDP/IP is required to interpret the output of any kind of firewall. The moral of this story is that the initial set up of your firewall should be undertaken by someone who knows what they're doing.

We also recommend that customers who are concerned about security look into XpressSecure, the Access security solution powered by F-Secure. For a low monthly fee, we can provide you with the very latest in Internet security and virus protection.

Should I report all security alerts?
You should report any security incidents you feel are serious, or which you aren't sure of. If in doubt, it's a good idea to report it. We'll sort it out from there. But please do not report security incidents that are clearly false alarms. We have limited resources available to investigate security problems, and it could keep us from a serious threat.

How do I read a log file?
If you ever do need to report a problem, it helps to know what's going on — even a little. Here's a quick tutorial on how to read a firewall report.As an example, consider a single line of a firewall log taken from a Linux firewall running the IP chains packet filter:
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254

This log message is in a fairly standard format, and is designed to be terse. It contains a lot of technical information useful only to networking gurus, but it can be useful to the rest of us. The log message breaks down like this:

• input is the rule 'chain' which matched the packet, causing the log message
• DENY is what the rule said to do to the packet
• eth0 is the ethernet card (interface)
• PROTO=17 means that the packet was protocol 17; the most common protocols are 1 (ICMP), 6 (TCP) and 17 (UDP)
• 192.168.2.1 means that the packets source IP address was 192.168.2.1.
• 53 means that the source port was port 53; which is the `domain' or 'DNS' port
• 192.168.1.1 is the destination IP address
• :1025 means that the destination port was 1025
• L=34 means that packet was a total of 34 bytes long.
• S=0x00 means the Type of Service field (it is usually safe to ignore this)
• I=18 is the IP ID (it is usually safe to ignore this)
• F=0x0000 is the 16-bit fragment offset plus flags (it is usually safe to ignore this)
• T=254 is the Time To Live of the packet (it is usually safe to ignore this)

This log message means that 192.168.2.1 is replying to a DNS request sent from 192.168.1.1. This is normal traffic to see on the Internet, and is harmless.