From owner-freebsd-security Tue Jul 25 18:30:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 0771637BD39 for ; Tue, 25 Jul 2000 18:30:46 -0700 (PDT) (envelope-from johnsa@kpi.com.au) Received: from kpi.com.au (ws02.kpi.com.au [203.39.132.215]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id LAA05445; Wed, 26 Jul 2000 11:33:21 +1000 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <397E4012.A1A93351@kpi.com.au> Date: Wed, 26 Jul 2000 11:34:10 +1000 From: Andrew Johns Organization: KPI Logistics X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Stephen Montgomery-Smith Cc: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules References: <397E1E25.FE8731E7@math.missouri.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stephen Montgomery-Smith wrote: > > I would like to set up a firewall with dynamic rules to allow > ssh from the outside. I would like these incoming ssh's logged. > So I tried something like: > > ipfw add pass log tcp from any to my.computer.net 22 keep-state setup > > Now it would make sense to me that this would log the initial setup, > but that the following times that the then created dynamic rule is > invoked would not be logged. > > However that is not the case. All the tcp packets between the > established conenction are logged. > > I know that I could have some rules: > > add pass tcp from any to any in via ${oif} established > add pass all from any to any frag > > before this one, but doesn't that defeat part of the point of > dynamic rules? > In a word, no. All packets must pass through the ruleset before being either passed or dropped. 'Dynamic' rules build on the base rules by keeping a table of which connections are presently in use, so that mapping can occur for delivery of the packet back to the correct socket/process, **once it has been passed** by the rule set. (This is my interpretation of it from personal experience - someone please correct me if I'm totally off the rails on this.) Therefore, any logging before the packet is passed/dropped will still occur as per usual, which is how I'd want to have it anyway. Regards ---------------------\=-_ _-=/ Andrew Johns BSc. \ \==/ / Principal Consultant \ / KPI Logistics Pty Ltd \ / mailto:johnsa@kpi.com.au \ +/ http://www.kpi.com.au \/ How do I set this laser printer to stun? My favourite boot labels: F1 Real OS -> http://www.FreeBSD.org F2 Pretend OS -> http://www.microsoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message