Date: Mon, 14 Oct 2002 23:42:25 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Maildrop <maildrop@qwest.net> Cc: "Crist J. Clark" <cjc@FreeBSD.ORG>, freebsd-questions@FreeBSD.ORG Subject: Re: monitor ALL connections to ALL ports Message-ID: <20021014224225.GB61025@happy-idiot-talk.infracaninophi> In-Reply-To: <NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop@qwest.net> References: <20021014205437.GA21823@blossom.cjclark.org> <NGBBIILBAKIFGHHCHOHPEEOMFJAA.maildrop@qwest.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 14, 2002 at 05:09:43PM -0500, Maildrop wrote:
> I want to log all connections, regardless if they failed or
> successed, regardless if they have a daemon running on that port or
> not.
The only way I can think of to achieve what you want -- logging every
packet received by your machine -- is to use ipfw(8) and add the 'log'
keyword to all appropriate rules. You'll need to have a lot of space
in /var and bump up the net.inet.ip.fw.verbose_limit sysctl to some
huge limit and run 'ipfw resetlog' at regular intervals (or ipfw(8)
will quit logging packets --- that's a measure introduced to prevent
the blackhats DoS'ing a machine by causing so many log messages to be
generated it fills up the disk).
You understand that if you make any significant use of networking on
your machine, configuring ipfw(8) in that way will result in you being
drowned in such a flood of log messages you probably won't be able to
cope.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021014224225.GB61025>