What do firewall log codes mean?
You may encounter the following event names in the ESET Firewall log.
Rule definition file not loaded – EPFW module is not properly loaded.
No usable rule found – Incoming connections in automatic mode don’t match any rule, therefore they are denied by default.
Incorrect Ethernet packet – Too short of a packet was received. Packet is too short to contain valid Ethernet or IP/IPv6 header.
Incorrect IP packet length – Packet is shorter than indicated in its IPv4/IPv6 header, or the packet is ICMP and it is too short to contain ICMP header.
Incorrect IP packet checksum – Wrong checksum in IPv4 header. Checksum validation must be enabled in advanced options (separate for in and out).
Incorrect TCP packet length – TCP Packet is too short to contain TCP packet header.
Incorrect TCP packet checksum – Wrong checksum in TCP header. Checksum validation must be enabled in advanced options (separate for in and out).
Incorrect UDP packet length – UDP packet is too short to contain UDP header.
Suspicious IP packet fragment – Suspicious fragmentation according to RFC1858.
Unknown IP packet version – Wrong IP version indicated in IPv4 packet.
Incorrect UDP packet checksum – Wrong checksum in UDP header. Checksum validation must be enabled in advanced options (separate for in and out).
No application listening on the port – Connection attempt to a port where no application listens. It does not matter if this connection will be allowed or denied if there was an application listening.
Communication denied by rule – Rule with LOG action was matched, or “Log all blocked” is selected in Troubleshooting section.
Communication allowed by rule – Rule with LOG action was matched.
Decision on allowing communication delegated to user – Rule with LOG action was matched.
Detected attack against security hole – Malicious data is being transferred in an application protocol (such as DCE/RPC, SMB).
Attempt to attack this computer by worm – Malicious data are being transferred in an application protocol (such as DCE/RPC, SMB).
Attempt to send worm from this computer– Malicious data are being transferred in an application protocol (such as DCE/RPC, SMB).
Detected Port Scanning attack – Someone is trying to connect to many different ports on your computer within a short period of time.
Detected ARP cache poisoning attack – Someone is trying to update your ARP cache with a different MAC address than is already cached.
Detected DNS cache poisoning attack – Received DNS reply not requested. (Usually contains different domain addresses).
Detected ICMP Flooding attack – Received many ICMP packets from one particular IP within a short time.
Detected TCP Flooding attack – Received many TCP SYN packets (connection requests) from one particular IP within a short time.
Identical IP addresses detected in network – Received two ARP replies for one particular IP with different MAC addresses (A standardized network address assigned to network interfaces for communications on the physical network) within a short period of time.
TCP packet not belonging to any open connection – TCP packet does not belong to any existing flow.
Detected covert channel exploit in ICMP packet – Unexpected data found in ICMP echo messages. User might have an application that implements PING or might be running Linux as a virtual computer. Allowing communication for bridged connections can help to avoid false positives from virtual computers.
Detected unexpected data in protocol – Improperly formatted ARP, DNS or ICMP echo packets. Or zero port in TCP/UDP/.
Address temporarily blocked by active defense (IDS) – IP address was previously blocked by Active defense. Blocking unsafe addresses after detection should be enabled.
Packet blocked by active defense (IDS) – Packet was blocked by IDS without specific reason. You should not see this log.