From owner-freebsd-questions@FreeBSD.ORG Wed Oct 5 08:58:55 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C5E9416A41F for ; Wed, 5 Oct 2005 08:58:55 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp16.wxs.nl (smtp16.wxs.nl [195.121.6.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA3E443D5C for ; Wed, 5 Oct 2005 08:58:51 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from smtp.planet.nl (ip51cc8423.speed.planet.nl [81.204.132.35]) by smtp16.wxs.nl (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0INV004VWQA2EA@smtp16.wxs.nl> for freebsd-questions@freebsd.org; Wed, 05 Oct 2005 10:58:50 +0200 (CEST) Received: from Alex.lan (localhost [127.0.0.1]) by smtp.planet.nl (8.13.3/8.13.3) with ESMTP id j958wn2O001020; Wed, 05 Oct 2005 10:58:49 +0200 Received: (from akruijff@localhost) by Alex.lan (8.13.3/8.13.3/Submit) id j958wmXr001019; Wed, 05 Oct 2005 10:58:48 +0200 Content-return: prohibited Date: Wed, 05 Oct 2005 10:58:48 +0200 From: Alex de Kruijff In-reply-to: <54db439905092908455157e6a3@mail.gmail.com> To: Bob Johnson Message-id: <20051005085848.GA807@Alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <54db439905092908455157e6a3@mail.gmail.com> X-Authentication-warning: Alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f Cc: bobo1009@mailtest2.eng.ufl.edu, freebsd-questions@freebsd.org Subject: Re: IPFW logging and dynamic rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd@akruijff.dds.nl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 08:58:55 -0000 On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote: > In FreeBSD 5.4R, I tried an IPFW configuration that includes something > like this (plus a lot of other rules): > > check-state > deny tcp from any to any established > allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3 > + other rules that use keep-state > > When I do this, _every_ ssh packet is logged, in both directions. To > get it to log ONLY the initial connection, I had to give up on using > dynamic rules for ssh and instead do something like: > > allow log tcp from any to ${my-ip} dst-port 22 setup > allow tcp from any to ${my-ip} dst-port 22 established > allow tcp from ${my-ip} 22 to any established > check-state > deny tcp from any to any established > + other rules that use keep-state > > So now I have lost the per-host ssh limit rule I wanted to include, > and I am filtering packets on flags that can be spoofed > ("established") rather than the actual dynamic state of the > connection. Am I wrong to believe there is an advantage to this? > > Is there some way to get the first version to log only the initial > packet while still retaining the dynamic limit src-addr rule? Yes you could use count instead of allow. check-state count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3 allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3 -- Alex Please copy the original recipients, otherwise I may not read your reply. Howto's based on my ppersonal use, including information about setting up a firewall and creating traffic graphs with MRTG http://www.kruijff.org/alex/FreeBSD/