From owner-freebsd-questions@FreeBSD.ORG Thu Sep 29 15:45:44 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AB1016A41F for ; Thu, 29 Sep 2005 15:45:44 +0000 (GMT) (envelope-from fbsdlists@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id D012B43D48 for ; Thu, 29 Sep 2005 15:45:43 +0000 (GMT) (envelope-from fbsdlists@gmail.com) Received: by xproxy.gmail.com with SMTP id t13so1583418wxc for ; Thu, 29 Sep 2005 08:45:43 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=rqH9clbwN31SuBAdL01rFFpqVF0khTJTQxxnFk7VPbm6tDEQIZYcZI0Dj+wSKkAtZ3z2QOP0bNsfDcjOOCDJe0XjGE5SEYBexA1Nl05ReMTMwysROZ7q3bzCqmrN6kOSz3zYAlhQgciMHKSMilvLd0EIqTNSGe2KtVjDF2BAvGQ= Received: by 10.70.74.5 with SMTP id w5mr496409wxa; Thu, 29 Sep 2005 08:45:43 -0700 (PDT) Received: by 10.70.67.15 with HTTP; Thu, 29 Sep 2005 08:45:42 -0700 (PDT) Message-ID: <54db439905092908455157e6a3@mail.gmail.com> Date: Thu, 29 Sep 2005 11:45:42 -0400 From: Bob Johnson To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: bobo1009@mailtest2.eng.ufl.edu Subject: IPFW logging and dynamic rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bob Johnson List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2005 15:45:44 -0000 In FreeBSD 5.4R, I tried an IPFW configuration that includes something like this (plus a lot of other rules): check-state deny tcp from any to any established allow log tcp from any to ${my-ip} dst-port 22 setup limit src-addr 3 + other rules that use keep-state When I do this, _every_ ssh packet is logged, in both directions. To get it to log ONLY the initial connection, I had to give up on using dynamic rules for ssh and instead do something like: allow log tcp from any to ${my-ip} dst-port 22 setup allow tcp from any to ${my-ip} dst-port 22 established allow tcp from ${my-ip} 22 to any established check-state deny tcp from any to any established + other rules that use keep-state So now I have lost the per-host ssh limit rule I wanted to include, and I am filtering packets on flags that can be spoofed ("established") rather than the actual dynamic state of the connection. Am I wrong to believe there is an advantage to this? Is there some way to get the first version to log only the initial packet while still retaining the dynamic limit src-addr rule? Thanks, - Bob