> Some of our log entries contain MAC addresses, like this: > Apr 20 10:15:35 foo kernel: IPT IN_FIREWALL: IN=eth1 OUT= > MAC=00:30:48:11:94:e5:00:d0:ba:45:ec:25:08:00 SRC=XXX.XX.XX.XX > DST=XXX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP > SPT=1572 DPT=1080 WINDOW=32430 RES=0x00 SYN URGP=0 > While others don't: > Apr 14 07:55:35 foo kernel: IPT FORWARD: IN=eth0 OUT=eth1 > SRC=XXX.XX.XX.XX DST=XXX.XX.XX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=225 > DF PROTO=TCP SPT=1047 DPT=37 WINDOW=64512 RES=0x00 SYN URGP=0 > > I see the "OUT" field in the latter contains "eth1" instead of a MAC > address. > > Can someone elaborate on the difference here? Thanks. I'm experiencing this bahavior for a while already, and from what I can see, I will only see the MAC address in the log ONLY if the packet was destinated for the local machine(Or was generated BY the machine), but I will never see MACs if the packet logged was for another machine than the firewall. If somebody can confirm... Eric Poulin
