SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000698: Wrong MAC Adress in Firewall Logs - MantisBT
MantisBT - Endian Firewall
View Issue Details
0000698Endian FirewallFirewall (iptables)public2008-04-22 11:492010-11-22 11:51
michaelF 
peter-endian 
normalminoralways
closedfixed 
2.2-beta3 
2.4.1 
0000698: Wrong MAC Adress in Firewall Logs
The "Firewall log viewer" shows always the same MAC-adress (ff:ff:14:00:03:00) for different IP-adresses.

Apr 22 13:27:56 OUTGOINGFW:ACCEPT:6 br2 KEY_UDP 192.168.60.99 2051 ff:ff:14:00:03:00 145.24.129.6 123

Apr 22 13:21:27 OUTGOINGFW:ACCEPT:2 br0 KEY_TCP 192.168.62.59 2480 ff:ff:14:00:03:00 217.115.130.105 25

If i look at "Services", the right MAC-adress is shown:

192.168.60.99 = 00:04:0e:59:73:c3
192.168.62.59 = 08:00:27:68:67:63
No tags attached.
? logs_firewall.cgi (11,897) 2009-05-22 12:09
https://bugs.endian.com/file_download.php?file_id=238&type=bug
Issue History
2008-04-22 11:49michaelFNew Issue
2008-04-22 11:49michaelFStatusnew => assigned
2008-04-22 11:49michaelFAssigned To => peter-endian
2009-05-11 09:04michaelFNote Added: 0002307
2009-05-11 10:14peter-endianNote Added: 0002311
2009-05-11 10:14peter-endianStatusassigned => closed
2009-05-11 10:14peter-endianResolutionopen => not fixable
2009-05-14 12:11mike-fNote Added: 0002340
2009-05-14 12:11mike-fStatusclosed => feedback
2009-05-14 12:11mike-fResolutionnot fixable => reopened
2009-05-20 08:28michaelFNote Added: 0002364
2009-05-22 11:58mike-fNote Added: 0002375
2009-05-22 12:08mike-fNote Edited: 0002375
2009-05-22 12:09mike-fFile Added: logs_firewall.cgi
2009-05-22 12:10mike-fNote Edited: 0002375
2009-05-22 12:11mike-fStatusfeedback => resolved
2009-05-22 12:11mike-fResolutionreopened => fixed
2009-06-18 13:10michaelFNote Added: 0002639
2009-06-18 13:10michaelFStatusresolved => feedback
2009-06-18 13:10michaelFResolutionfixed => reopened
2010-09-23 15:15peter-endianStatusfeedback => confirmed
2010-09-23 15:18peter-endianNote Added: 0004845
2010-09-23 15:18peter-endianStatusconfirmed => resolved
2010-09-23 15:18peter-endianFixed in Version => 2.4.1
2010-09-23 15:18peter-endianResolutionreopened => fixed
2010-11-22 11:51peter-endianStatusresolved => closed

Notes
(0002307)
michaelF   
2009-05-11 09:04   
The problem is still in RC3.
(0002311)
peter-endian   
2009-05-11 10:14   
seems like this is sort of a broadcast mac address, so that's quite normal that both answer to the same address.

I don't know which protocol this may be, since the broadcast address is ff:ff:ff:ff:ff:ff, valid unicast mac addresses start with 00 and multicast addresses with 01
(0002340)
mike-f   
2009-05-14 12:11   
looks like some kind of cosmetic GUI-issue:
seems the GUI takes only the second part (starting at the first ff) of the output
XX:XX:XX:XX:XX:XX:ff:ff:14:00:03:00

here we masked our own MAC and supplied XX:XX:XX:XX:XX:XX

as taken from
/var/log/firewall

May 11 11:11:11 myhostname ulogd[1111]: DHCP:ACCEPT:17 IN=br0 OUT= MAC=XX:XX:XX:XX:XX:XX:ff:ff:14:00:03:00 SRC=192.168.XXX.XXX DST=192.168.XXX.XXX LEN=328 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=KEY_UDP SPT=68 DPT=67 LEN=308
(0002364)
michaelF   
2009-05-20 08:28   
No, this is no broadcast-problem.
The MAC-adress ff:ff:14:00:03:00 is ALWAYS shown. There is NO other MAC-adress shown on the User-interface.

Here is a sniped of my log-file.

May 19 00:01:15 efw ulogd[908]: OUTGOINGFW:ACCEPT:5 IN=br0 OUT=eth2 MAC=08:00:27:68:67:63:ff:ff:14:00:03:00 SRC=192.168.62.58 DST=217.115.130.105 LEN=48 TOS=00 PREC=0x00 TTL=127 ID=13406 DF PROTO=KEY_TCP SPT=1975 DPT=995 SEQ=2629292597 ACK=0 WINDOW=64240 SYN URGP=0
May 19 00:01:40 efw ulogd[908]: INPUTFW:DROP IN=br0 OUT= MAC=00:c0:02:eb:c6:b7:ff:ff:14:00:03:00 SRC=192.168.62.1 DST=192.168.62.255 LEN=229 TOS=00 PREC=0x00 TTL=30 ID=12919 PROTO=KEY_UDP SPT=138 DPT=138 LEN=209
May 19 00:01:53 efw ulogd[908]: INPUT:DROP IN=eth2 OUT= MAC=00:04:0e:59:73:c3:ff:ff:14:00:03:00 SRC=192.168.20.10 DST=224.0.0.1 LEN=36 TOS=00 PREC=0xC0 TTL=1 ID=5207 DF PROTO=2

I have the feeling, that the MAC-adress in the log-file is to long?
I think, it should be 6 Byte (= 48 bit), but in the log there are 12 Byte and the viewer shows only the last 6 Byte which are always the same. I verified, that the first 6 Bytes are the right MAC-Adress of the devices!

So the problem might be in the log-routine?
(0002375)
mike-f   
2009-05-22 11:58   
(edited on: 2009-05-22 12:10)
the log output is handled by the kernel (netfilter-module)

i don't think it would be useful to change this kind of stuff at that level
(rewriting kernel-modules)

it would rather be easier to review the gui-scripts that give the "wrong" output


change the numbers in /home/httpd/cgi-bin/logs_firewall.cgi
line 265
$macaddr = "$mactemp[6]:$mactemp[7]:$mactemp[8]:$mactemp[9]:$mactemp[10]:$mactemp[11]";


to

$macaddr = "$mactemp[0]:$mactemp[1]:$mactemp[2]:$mactemp[3]:$mactemp[4]:$mactemp[5]";


uploaded a working copy of /home/httpd/cgi-bin/logs_firewall.cgi

(0002639)
michaelF   
2009-06-18 13:10   
This workaround is not include in Version 2.2!
(0004845)
peter-endian   
2010-09-23 15:18   
it displayed the destination mac address instead of source mac address