Date: Fri, 30 May 2003 19:20:26 -0400 (EDT) From: "Jonathan M. Bresler" <jmb@bresler.org> To: Avleen Vig <lists-freebsd@silverwraith.com> Cc: security@freebsd.org Subject: Re: IPFW logging brokeness? Message-ID: <Pine.BSF.4.21.0305301917400.4305-100000@bp6.bresler.org> In-Reply-To: <20030530222255.GZ294@silverwraith.com>
next in thread | previous in thread | raw e-mail | index | archive | help
you need to add "keep-state" to rule 100. this will populate the state table so that the "check-state" rule will have a populated table to check against. try add 100 allow log tcp from any to <my IP> <ports> keep-state limit src-addr 2 jmb On Fri, 30 May 2003, Avleen Vig wrote: > I don't think I'm trying to do anything amazing, but IPFW's logging > features are giving me a real headache. I can't find much in the > archives either, but I find it hard to believe others havne't found this > too. > > My rule: > add 100 allow log tcp from any to <my IP> <ports> limit src-addr 2 > > I want connecting parties to be able to form no more than 2 connection. > This works perfectly, jsut as I'd expect it to. > Except for 'log'. > > This rule matches every packet that comes in to the given IP and ports, > and as a result, one line is added to the security log per packet. There > are a lot of packets. > I tried, adding an "add 50 check-state", but that rule doesn't match > (the log just carries on logging packets because they match 100), which > is very odd. > > All I want is to have the first packet match of a connection match, like > IPF's "log first" capability. > > Or, better yet, is there a way to format a rule or set of rules, to say > "deny if established connections is greater than 2". > Logging every one of these packets would be fine. > > Any suggestions? > > -- > Avleen Vig "Say no to cheese-eating surrender-monkeys" > Systems Admin "Fast, Good, Cheap. Pick any two." > www.silverwraith.com "Move BSD. For great justice!" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0305301917400.4305-100000>