Date: Sun, 30 Jul 2000 17:24:50 -0500 From: stephen@math.missouri.edu To: "Jonathan M. Bresler" <jmb@hub.freebsd.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <3984AB32.53B8D793@math.missouri.edu> References: <20000730194202.447F937B6C1@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I submitted a PR http://www.freebsd.org/cgi/query-pr.cgi?pr=20198 suggesting this possibility. The response I got was that instead ipfw should work as follows: keep-state - log every entry; keep-state setup - only log when the rule is established. This is also very easy to program. Anyway I haven't heard from the people in charge for a while, so I don't know how it is going. ---- Actually, I'm becoming dissatisfied with the concept of dynamic rules using ipfw. I have gone back to static rules. I am only a home computer, and I don't need anything complicated. If I ever need dynamic rules, I will learn ipfilter and see how that does. My dissatisfaction is over how it times out. Suppose you have a rule like: add pass tcp from localhost to any 22 keep-state setup and you do an ssh somewhere Now wait five minutes and the dynamic rule times out, and it stops working. Well, that is OK I suppose - you shouldn't have left it so long. Now suppose instead you have add pass tcp from localhost to any 22 keep-state Now if it times out, well its OK, because when you press any key, another dynamic rule is established. Now this dynamic rule only lasts a few seconds. Now suppose you run a program that takes a while to send output, e.g. sleep 10; ls So typing in this command causes a dynamic rule to be created. This only lasts a few seconds, so when the above program sends its output, it cannot get through. If you get impatient wondering why you see nothing, you press a key to see if anything happens. The connection seems to do nothing for a second, then suddenly you see the output. This is because in pressing the key, you established another dynamic rule. The effect is somewhat jerky. If I had a naive user on my network, he would wonder what is gonig on, perhaps assume a bad connection or something. All this bad behavior could be stopped by having a rule add pass tcp from any to any established before all the other rules, but in that case why have dynamic rules at all? And you could also tinker with the default time outs. But in the end I find that static rules are quite satisfactory for me. "Jonathan M. Bresler" wrote: > > > > > Stephen Montgomery-Smith wrote: > > > > > > I would like to set up a firewall with dynamic rules to allow > > > ssh from the outside. I would like these incoming ssh's logged. > > > So I tried something like: > > > > > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > > > > > > OK, does everyone else agree with me that if an ipfw rule is logged > > and keep-state, then one only needs to log when the rule is established - > > not every time a packet passes through it? > > adding an option to log only the packet that triggers the > creation of the dynamic rule would be an excellent addition to ipfw. > > as you wrote in a later email, one option to log all packets > (inherited by the dynamic rule) and one option to log the triggering > packet only. > > jmb -- Stephen Montgomery-Smith Department of Mathematics, University of Missouri, Columbia, MO 65211 Phone 573-882-4540, fax 573-882-1869 http://www.math.missouri.edu/~stephen stephen@math.missouri.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3984AB32.53B8D793>