From owner-freebsd-security@FreeBSD.ORG Fri May 30 16:20:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B39DC37B401 for ; Fri, 30 May 2003 16:20:28 -0700 (PDT) Received: from bp6.bresler.org (pool-138-88-130-56.esr.east.verizon.net [138.88.130.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id C217E43F93 for ; Fri, 30 May 2003 16:20:27 -0700 (PDT) (envelope-from jmb@bresler.org) Received: by bp6.bresler.org (Postfix, from userid 1000) id B347180; Fri, 30 May 2003 19:20:26 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bp6.bresler.org (Postfix) with ESMTP id B0A1D9901; Fri, 30 May 2003 19:20:26 -0400 (EDT) Date: Fri, 30 May 2003 19:20:26 -0400 (EDT) From: "Jonathan M. Bresler" To: Avleen Vig In-Reply-To: <20030530222255.GZ294@silverwraith.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org Subject: Re: IPFW logging brokeness? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2003 23:20:29 -0000 you need to add "keep-state" to rule 100. this will populate the state table so that the "check-state" rule will have a populated table to check against. try add 100 allow log tcp from any to keep-state limit src-addr 2 jmb On Fri, 30 May 2003, Avleen Vig wrote: > I don't think I'm trying to do anything amazing, but IPFW's logging > features are giving me a real headache. I can't find much in the > archives either, but I find it hard to believe others havne't found this > too. > > My rule: > add 100 allow log tcp from any to limit src-addr 2 > > I want connecting parties to be able to form no more than 2 connection. > This works perfectly, jsut as I'd expect it to. > Except for 'log'. > > This rule matches every packet that comes in to the given IP and ports, > and as a result, one line is added to the security log per packet. There > are a lot of packets. > I tried, adding an "add 50 check-state", but that rule doesn't match > (the log just carries on logging packets because they match 100), which > is very odd. > > All I want is to have the first packet match of a connection match, like > IPF's "log first" capability. > > Or, better yet, is there a way to format a rule or set of rules, to say > "deny if established connections is greater than 2". > Logging every one of these packets would be fine. > > Any suggestions? > > -- > Avleen Vig "Say no to cheese-eating surrender-monkeys" > Systems Admin "Fast, Good, Cheap. Pick any two." > www.silverwraith.com "Move BSD. For great justice!" > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >