From owner-freebsd-security@FreeBSD.ORG Fri May 30 15:22:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65DA637B401 for ; Fri, 30 May 2003 15:22:56 -0700 (PDT) Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABCA443F3F for ; Fri, 30 May 2003 15:22:55 -0700 (PDT) (envelope-from avleen@silverwraith.com) Received: from avleen by mail.silverwraith.com with local (Exim 4.14) id 19LsH1-0006v5-B9 for security@freebsd.org; Fri, 30 May 2003 15:22:55 -0700 Date: Fri, 30 May 2003 15:22:55 -0700 From: Avleen Vig To: security@freebsd.org Message-ID: <20030530222255.GZ294@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Sender: Avleen Vig Subject: IPFW logging brokeness? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2003 22:22:56 -0000 I don't think I'm trying to do anything amazing, but IPFW's logging features are giving me a real headache. I can't find much in the archives either, but I find it hard to believe others havne't found this too. My rule: add 100 allow log tcp from any to limit src-addr 2 I want connecting parties to be able to form no more than 2 connection. This works perfectly, jsut as I'd expect it to. Except for 'log'. This rule matches every packet that comes in to the given IP and ports, and as a result, one line is added to the security log per packet. There are a lot of packets. I tried, adding an "add 50 check-state", but that rule doesn't match (the log just carries on logging packets because they match 100), which is very odd. All I want is to have the first packet match of a connection match, like IPF's "log first" capability. Or, better yet, is there a way to format a rule or set of rules, to say "deny if established connections is greater than 2". Logging every one of these packets would be fine. Any suggestions? -- Avleen Vig "Say no to cheese-eating surrender-monkeys" Systems Admin "Fast, Good, Cheap. Pick any two." www.silverwraith.com "Move BSD. For great justice!"