Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 05 Oct 2005 10:58:48 +0200
From:      Alex de Kruijff <freebsd@akruijff.dds.nl>
To:        Bob Johnson <fbsdlists@gmail.com>
Cc:        bobo1009@mailtest2.eng.ufl.edu, freebsd-questions@freebsd.org
Subject:   Re: IPFW logging and dynamic rules
Message-ID:  <20051005085848.GA807@Alex.lan>
In-Reply-To: <54db439905092908455157e6a3@mail.gmail.com>
References:  <54db439905092908455157e6a3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
> In FreeBSD 5.4R, I tried an IPFW configuration that includes something
> like this (plus a lot of other rules):
> 
>    check-state
>    deny tcp from any to any established
>    allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
> + other rules that use keep-state
> 
> When I do this, _every_ ssh packet is logged, in both directions.  To
> get it to log ONLY the initial connection, I had to give up on using
> dynamic rules for ssh and instead do something like:
> 
>    allow log tcp from any to ${my-ip} dst-port 22 setup
>    allow tcp from any to ${my-ip} dst-port 22 established
>    allow tcp from ${my-ip} 22 to any established
>    check-state
>    deny tcp from any to any established
> + other rules that use keep-state
> 
> So now I have lost the per-host ssh limit rule I wanted to include,
> and I am filtering packets on flags that can be spoofed
> ("established") rather than the actual dynamic state of the
> connection.  Am I wrong to believe there is an advantage to this?
> 
> Is there some way to get the first version to log only the initial
> packet while still retaining the dynamic limit src-addr rule?

Yes you could use count instead of allow.

check-state
count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3

-- 
Alex

Please copy the original recipients, otherwise I may not read your reply.

Howto's based on my ppersonal use, including information about 
setting up a firewall and creating traffic graphs with MRTG
http://www.kruijff.org/alex/FreeBSD/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051005085848.GA807>