From owner-freebsd-questions@FreeBSD.ORG Wed Oct 5 13:32:03 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B04F16A41F for ; Wed, 5 Oct 2005 13:32:03 +0000 (GMT) (envelope-from jmulkerin@comcast.net) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [63.240.76.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A1BF43D6B for ; Wed, 5 Oct 2005 13:32:00 +0000 (GMT) (envelope-from jmulkerin@comcast.net) Received: from [192.168.99.100] (c-24-6-183-130.hsd1.ca.comcast.net[24.6.183.130]) by comcast.net (sccrmhc13) with ESMTP id <2005100513315901300cjds4e>; Wed, 5 Oct 2005 13:31:59 +0000 Message-ID: <4343D5CE.4040908@comcast.net> Date: Wed, 05 Oct 2005 06:31:58 -0700 From: jmulkerin User-Agent: Mozilla Thunderbird 1.0.5 (Windows/20050711) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd@akruijff.dds.nl References: <54db439905092908455157e6a3@mail.gmail.com> <20051005085848.GA807@Alex.lan> In-Reply-To: <20051005085848.GA807@Alex.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Bob Johnson , bobo1009@mailtest2.eng.ufl.edu, freebsd-questions@freebsd.org Subject: Re: IPFW logging and dynamic rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2005 13:32:03 -0000 How about using snort and guardian. Guardian.pl will add a ipfw rule each time it sees an alert from Snort. You'll need to adjust the snort rules for what you want to alert on but its a pretty safe and lightweight asset. (just my novice 2 cents...) John Alex de Kruijff wrote: >On Thu, Sep 29, 2005 at 11:45:42AM -0400, Bob Johnson wrote: > > >>In FreeBSD 5.4R, I tried an IPFW configuration that includes something >>like this (plus a lot of other rules): >> >> check-state >> deny tcp from any to any established >> allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3 >>+ other rules that use keep-state >> >>When I do this, _every_ ssh packet is logged, in both directions. To >>get it to log ONLY the initial connection, I had to give up on using >>dynamic rules for ssh and instead do something like: >> >> allow log tcp from any to ${my-ip} dst-port 22 setup >> allow tcp from any to ${my-ip} dst-port 22 established >> allow tcp from ${my-ip} 22 to any established >> check-state >> deny tcp from any to any established >>+ other rules that use keep-state >> >>So now I have lost the per-host ssh limit rule I wanted to include, >>and I am filtering packets on flags that can be spoofed >>("established") rather than the actual dynamic state of the >>connection. Am I wrong to believe there is an advantage to this? >> >>Is there some way to get the first version to log only the initial >>packet while still retaining the dynamic limit src-addr rule? >> >> > >Yes you could use count instead of allow. > >check-state >count log tcp from any to ${my-ip} dst-port 22 limit src-addr 3 >allow tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3 > > >