Date: Tue, 25 Jul 2000 20:53:11 -0500 From: Stephen Montgomery-Smith <stephen@math.missouri.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <397E4487.A868B713@math.missouri.edu> References: <397E1E25.FE8731E7@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------7A8C7BFFCB709DB3DF35EDB3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Stephen Montgomery-Smith wrote:
>
> I would like to set up a firewall with dynamic rules to allow
> ssh from the outside. I would like these incoming ssh's logged.
> So I tried something like:
>
> ipfw add pass log tcp from any to my.computer.net 22 keep-state setup
>
OK, does everyone else agree with me that if an ipfw rule is logged
and keep-state, then one only needs to log when the rule is established -
not every time a packet passes through it?
If so, I'll send-pr the following patch:
--------------7A8C7BFFCB709DB3DF35EDB3
Content-Type: text/plain; charset=us-ascii;
name="diff.ip_fw.c.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="diff.ip_fw.c.patch"
--- ../src/sys/netinet/ip_fw.c Sat Jul 15 19:25:45 2000
+++ sys/netinet/ip_fw.c Tue Jul 25 20:39:38 2000
@@ -1215,8 +1215,13 @@
f->timestamp = time_second;
/* Log to console if desired */
+#if STATEFUL /* stateful ipfw */
+ if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose && q==NULL)
+ ipfw_report(f, ip, rif, oif);
+#else
if ((f->fw_flg & IP_FW_F_PRN) && fw_verbose)
ipfw_report(f, ip, rif, oif);
+#endif
/* Take appropriate action */
switch (f->fw_flg & IP_FW_F_COMMAND) {
--------------7A8C7BFFCB709DB3DF35EDB3--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397E4487.A868B713>