Creating logs

WinRoute can reject inbound packets either through NAT, or through Packet Filtering. It is important to note that WinRoute considers these as separate components. In other words, NAT may allow some traffic to pass through while a packet filter rule may deny the same packet. The reverse is true as well, a packet filter rule may allow some traffic while NAT will deny the same traffic.

Creating NAT log data

By default, neither the NAT nor Packet Filter facilities will log to the security log. To enable logging of traffic denied through NAT proceed to settings -> advanced -> security options from the winroute administration program. From this dialog "NAT Logging Options" you have the option to log inbound TCP or UDP packets with no entry in the NAT table. This information can be logged to the security log file and/or the security log window. For explanation of the log data refer to the next section 'Viewing logs'. For most users it is recommended to enable logging of only TCP packets with a syn flag. This will log any inbound connection attempt such as an external port probe. Logging all TCP packets will usually log packets that have timed out from the NAT table. Logging UDP can also create a large amount of extraneous log data, for example netbios broadcasts can produce several lines per minute.

Creating Packet Filter log data

When creating packet filter rules you have the option to log into the security log file and/or the security log window. Any IP protocol has the ability to be logged. When creating logged filter rules it is necessary to log only relevant information. For example let's assume you have opened ports 23 and 80 through NAT using the port mapping feature. It may be beneficial to log the IP address of each connection to these services. In this example you would need to create two packet filter rules that allow inbound access to the NAT'd interface where the destination port is equal to 23 and 80 and the TCP flag is 'establishing'.

filterlog

In some network configurations you may have a policy that allows the local network to have Internet access to specific protocols while all other IP traffic is denied by a catch-all rule at the bottom of the list. Depending on the allowances defined in the rules above the catch-all rule, it may not be beneficial to log the catch-all rule. As an alternative consider placing a TCP deny rule just above the catch-all rule that will log restricted connection attempts from the LAN to the Internet.

Creating logs