Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 05 Oct 2005 06:31:58 -0700
From:      jmulkerin <jmulkerin@comcast.net>
To:        freebsd@akruijff.dds.nl
Cc:        Bob Johnson <fbsdlists@gmail.com>, bobo1009@mailtest2.eng.ufl.edu, freebsd-questions@freebsd.org
Subject:   Re: IPFW logging and dynamic rules
Message-ID:  <4343D5CE.4040908@comcast.net>
In-Reply-To: <20051005085848.GA807@Alex.lan>
References:  <54db439905092908455157e6a3@mail.gmail.com> <20051005085848.GA807@Alex.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 
How about using snort and guardian.    Guardian.pl will add a ipfw rule 
each time it sees an alert from Snort.  You'll need to adjust the snort 
rules for what you want to alert on but its a pretty safe and 
lightweight asset. (just my novice 2 cents...)


John

Alex de Kruijff wrote:

>On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote:
>  
>
>>In FreeBSD 5.4R, I tried an IPFW configuration that includes something
>>like this (plus a lot of other rules):
>>
>>   check-state
>>   deny tcp from any to any established
>>   allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
>>+ other rules that use keep-state
>>
>>When I do this, _every_ ssh packet is logged, in both directions.  To
>>get it to log ONLY the initial connection, I had to give up on using
>>dynamic rules for ssh and instead do something like:
>>
>>   allow log tcp from any to ${my-ip} dst-port 22 setup
>>   allow tcp from any to ${my-ip} dst-port 22 established
>>   allow tcp from ${my-ip} 22 to any established
>>   check-state
>>   deny tcp from any to any established
>>+ other rules that use keep-state
>>
>>So now I have lost the per-host ssh limit rule I wanted to include,
>>and I am filtering packets on flags that can be spoofed
>>("established") rather than the actual dynamic state of the
>>connection.  Am I wrong to believe there is an advantage to this?
>>
>>Is there some way to get the first version to log only the initial
>>packet while still retaining the dynamic limit src-addr rule?
>>    
>>
>
>Yes you could use count instead of allow.
>
>check-state
>count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3
>allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3
>
>  
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4343D5CE.4040908>