SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000698: Wrong MAC Adress in Firewall Logs - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000698Endian FirewallFirewall (iptables)public2008-04-22 11:492010-11-22 11:51
ReportermichaelF 
Assigned Topeter-endian 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2-beta3 
Target VersionFixed in Version2.4.1 
Summary0000698: Wrong MAC Adress in Firewall Logs
DescriptionThe "Firewall log viewer" shows always the same MAC-adress (ff:ff:14:00:03:00) for different IP-adresses.

Apr 22 13:27:56 OUTGOINGFW:ACCEPT:6 br2 KEY_UDP 192.168.60.99 2051 ff:ff:14:00:03:00 145.24.129.6 123

Apr 22 13:21:27 OUTGOINGFW:ACCEPT:2 br0 KEY_TCP 192.168.62.59 2480 ff:ff:14:00:03:00 217.115.130.105 25

If i look at "Services", the right MAC-adress is shown:

192.168.60.99 = 00:04:0e:59:73:c3
192.168.62.59 = 08:00:27:68:67:63
TagsNo tags attached.
Attached Files? file icon logs_firewall.cgi [^] (11,897 bytes) 2009-05-22 12:09

- Relationships

-  Notes
(0002307)
michaelF (reporter)
2009-05-11 09:04

The problem is still in RC3.
(0002311)
peter-endian (administrator)
2009-05-11 10:14

seems like this is sort of a broadcast mac address, so that's quite normal that both answer to the same address.

I don't know which protocol this may be, since the broadcast address is ff:ff:ff:ff:ff:ff, valid unicast mac addresses start with 00 and multicast addresses with 01
(0002340)
mike-f (updater)
2009-05-14 12:11

looks like some kind of cosmetic GUI-issue:
seems the GUI takes only the second part (starting at the first ff) of the output
XX:XX:XX:XX:XX:XX:ff:ff:14:00:03:00

here we masked our own MAC and supplied XX:XX:XX:XX:XX:XX

as taken from
/var/log/firewall

May 11 11:11:11 myhostname ulogd[1111]: DHCP:ACCEPT:17 IN=br0 OUT= MAC=XX:XX:XX:XX:XX:XX:ff:ff:14:00:03:00 SRC=192.168.XXX.XXX DST=192.168.XXX.XXX LEN=328 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=KEY_UDP SPT=68 DPT=67 LEN=308
(0002364)
michaelF (reporter)
2009-05-20 08:28

No, this is no broadcast-problem.
The MAC-adress ff:ff:14:00:03:00 is ALWAYS shown. There is NO other MAC-adress shown on the User-interface.

Here is a sniped of my log-file.

May 19 00:01:15 efw ulogd[908]: OUTGOINGFW:ACCEPT:5 IN=br0 OUT=eth2 MAC=08:00:27:68:67:63:ff:ff:14:00:03:00 SRC=192.168.62.58 DST=217.115.130.105 LEN=48 TOS=00 PREC=0x00 TTL=127 ID=13406 DF PROTO=KEY_TCP SPT=1975 DPT=995 SEQ=2629292597 ACK=0 WINDOW=64240 SYN URGP=0
May 19 00:01:40 efw ulogd[908]: INPUTFW:DROP IN=br0 OUT= MAC=00:c0:02:eb:c6:b7:ff:ff:14:00:03:00 SRC=192.168.62.1 DST=192.168.62.255 LEN=229 TOS=00 PREC=0x00 TTL=30 ID=12919 PROTO=KEY_UDP SPT=138 DPT=138 LEN=209
May 19 00:01:53 efw ulogd[908]: INPUT:DROP IN=eth2 OUT= MAC=00:04:0e:59:73:c3:ff:ff:14:00:03:00 SRC=192.168.20.10 DST=224.0.0.1 LEN=36 TOS=00 PREC=0xC0 TTL=1 ID=5207 DF PROTO=2

I have the feeling, that the MAC-adress in the log-file is to long?
I think, it should be 6 Byte (= 48 bit), but in the log there are 12 Byte and the viewer shows only the last 6 Byte which are always the same. I verified, that the first 6 Bytes are the right MAC-Adress of the devices!

So the problem might be in the log-routine?
(0002375)
mike-f (updater)
2009-05-22 11:58
edited on: 2009-05-22 12:10

the log output is handled by the kernel (netfilter-module)

i don't think it would be useful to change this kind of stuff at that level
(rewriting kernel-modules)

it would rather be easier to review the gui-scripts that give the "wrong" output


change the numbers in /home/httpd/cgi-bin/logs_firewall.cgi
line 265
$macaddr = "$mactemp[6]:$mactemp[7]:$mactemp[8]:$mactemp[9]:$mactemp[10]:$mactemp[11]";


to

$macaddr = "$mactemp[0]:$mactemp[1]:$mactemp[2]:$mactemp[3]:$mactemp[4]:$mactemp[5]";


uploaded a working copy of /home/httpd/cgi-bin/logs_firewall.cgi

(0002639)
michaelF (reporter)
2009-06-18 13:10

This workaround is not include in Version 2.2!
(0004845)
peter-endian (administrator)
2010-09-23 15:18

it displayed the destination mac address instead of source mac address

- Issue History
Date Modified Username Field Change
2008-04-22 11:49 michaelF New Issue
2008-04-22 11:49 michaelF Status new => assigned
2008-04-22 11:49 michaelF Assigned To => peter-endian
2009-05-11 09:04 michaelF Note Added: 0002307
2009-05-11 10:14 peter-endian Note Added: 0002311
2009-05-11 10:14 peter-endian Status assigned => closed
2009-05-11 10:14 peter-endian Resolution open => not fixable
2009-05-14 12:11 mike-f Note Added: 0002340
2009-05-14 12:11 mike-f Status closed => feedback
2009-05-14 12:11 mike-f Resolution not fixable => reopened
2009-05-20 08:28 michaelF Note Added: 0002364
2009-05-22 11:58 mike-f Note Added: 0002375
2009-05-22 12:08 mike-f Note Edited: 0002375
2009-05-22 12:09 mike-f File Added: logs_firewall.cgi
2009-05-22 12:10 mike-f Note Edited: 0002375
2009-05-22 12:11 mike-f Status feedback => resolved
2009-05-22 12:11 mike-f Resolution reopened => fixed
2009-06-18 13:10 michaelF Note Added: 0002639
2009-06-18 13:10 michaelF Status resolved => feedback
2009-06-18 13:10 michaelF Resolution fixed => reopened
2010-09-23 15:15 peter-endian Status feedback => confirmed
2010-09-23 15:18 peter-endian Note Added: 0004845
2010-09-23 15:18 peter-endian Status confirmed => resolved
2010-09-23 15:18 peter-endian Fixed in Version => 2.4.1
2010-09-23 15:18 peter-endian Resolution reopened => fixed
2010-11-22 11:51 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker