All security related events are logged into the security log. The security log file is located in the WinRoute Pro/logs directory. The security log can also be accessed from the winroute administration program from view -> logs -> security log. Note that the security log window is limited to 500 lines of data. When the limit is reached old entries will be replaced by new entries.
Explanation of NAT Log events
[21/May/2002 18:17:05] NAT: Attempt to establish TCP connection through NAT (in). The following line contains suspicious packet dump: [21/May/2002 18:17:05] NAT: + proto:TCP, len:62, ip+port:192.168.10.1:3051 -> 10.10.10.1:139, flags: SYN , seq:33710428 ack:0, win:65535, tcplen:0
The preceding log entry includes, from left to right, a time stamp, the module responsible for the log event (NAT), the protocol (TCP), the direction (in), the action taken (dump = drop), the source IP and port (192.168.10.1:3051), the destination IP and port (10.10.10.1:139), and the flag (SYN) if it is TCP protocol. The remaining data includes TCP specific information such as the sequence number, window size, and TCP length. In the advanced security options of the WinRoute administration you may choose to send a denying response or to silently discard the packet. In either event the log data would appear similar to the sample log data in the above example.
[23/May/2002 11:23:31] NAT advanced: ACL 0:0 LAN: do nat with 10.0.0.104 packet out UDP 10.0.0.103:1075 -> 10.0.0.1:1900
The preceding log event was generated by an advanced NAT rule. The access control list (ACL) is a specific reference maintained internally to WinRoute. (LAN) in this case refers to the name of the interface as indicated within the interface table. The remaining information indicates the translated source address followed by the original source and destination addresses.
Explanation of Packet Filter log events
[22/May/2002 17:32:27] Packet filter: ACL 1:1 INTERNET: deny packet in id=20122827 : TCP 67.114.19.218:64632 -> 24.219.8.236:113
[22/May/2002 17:31:30] Packet filter: ACL 1:0 INTERNET: permit packet in id=20122681 : TCP 67.114.19.218:64624 -> 24.219.8.236:25
The information displayed in these logs includes the time stamp, the Packet Filter rule access control list, the action taken (permit/deny/drop), the packet id, the protocol, and the source and destination IP address. If the protocol is UDP or TCP the IP address will be followed by the port number. Note that the ACL references first the interface number followed by the rule number. These numbers are assigned and maintained internally to WinRoute.
[23/May/2002 11:04:23] Anti spoofing: LAN: mode net, drop packet TCP 64.12.25.64:5190 -> 10.0.0.103:1041
The preceding log event was generated by an anti-spoofing rule. Only rejected traffic will be logged. The only available action is to drop traffic rejected by the anti-spoofing rule.
Explanation of Administrative events
WinRoute logs service startup and termination as well as each login to the administration (failed or successful). There are other occasional security related messages that WinRoute has been preprogrammed to display upon a certain event.