You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Limit the packet length<br />
<strong>fw</strong> moni<strong>to</strong>r can limit the amount of packet data which will be read from the kernel. The option –l is<br />
<strong>use</strong>d for this purpose. <strong>fw</strong> moni<strong>to</strong>r will only read as many bytes from the kernel as you specified for the<br />
–l option. Please make sure <strong>to</strong> capture as least as many bytes so that the IP and transport headers are<br />
included.<br />
Using UUIDs and SSIDs<br />
UUIDs (universal-unique-identifiers) are a new feature in NG. The firewall assigns an UUID <strong>to</strong> every<br />
connection passing the firewall. This UUID is kept through all firewall operations. Therefore you can follow<br />
a connection through the firewall even if the packet content is NAT’ed. The UUID is also kept in the<br />
connection table entry for the connection.<br />
Additionally there is the concept of an SUUID (Session UUID). For services which are using several<br />
connections (e.g. FTP) every connection has a unique UUID but the SUUID is equal for all the<br />
connections (it’s the same as the first/control connection’s UUID).<br />
UUIDs and SUIDs are very helpful for tracking connection through different chain modules of the firewall.<br />
Even if a connection is NAT’ed the UUID or SUID remains the same. Therefore filtering for the UUID or<br />
SUID helps you <strong>to</strong> find all packets belonging <strong>to</strong> a connection or session, even if the packets change.<br />
Please note that the first packet of a connection or session as no UUID or SUID assigned yet (SUID/SUID<br />
is all zero). After the first packet has been processed by the firewall a UUID or SUID is assigned and will<br />
remain the same for the whole connection/session.<br />
An UUID is built from four 32bit values using a timestamp, a counter, the firewall IP address and a<br />
process ID. From this 128bit value a smaller 32bit value is constructed which is printed as well. Please<br />
refer <strong>to</strong> UUID format for detailed information.<br />
The UUID/SUUID is printed in front of the IP information. The first value is the striped UUID (32bit). The<br />
second value is the complete UUID (128bit).<br />
<strong>How</strong> <strong>to</strong> <strong>use</strong> <strong>fw</strong> moni<strong>to</strong>r Page 17 of 70<br />
Revision: 1.01