Date: Tue, 25 Jul 2000 19:18:32 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: Stephen Montgomery-Smith <stephen@math.missouri.edu> Cc: Andrew Johns <johnsa@kpi.com.au>, freebsd-security@FreeBSD.ORG Subject: Re: log with dynamic firewall rules Message-ID: <20000725191832.H17222@fw.wintelcom.net> In-Reply-To: <397E48D1.DEC661C5@math.missouri.edu>; from stephen@math.missouri.edu on Tue, Jul 25, 2000 at 09:11:29PM -0500 References: <397E1E25.FE8731E7@math.missouri.edu> <397E4012.A1A93351@kpi.com.au> <397E48D1.DEC661C5@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
* Stephen Montgomery-Smith <stephen@math.missouri.edu> [000725 19:14] wrote: > OK, I'm not really understanding you here: > > suppose I have a rule like: > ipfw add pass log tcp from any to my.computer.net 22 keep-state > lets say it is rule 600. > > Now someone ssh's from the outside to my.computer. So on my log file > I see: > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 > > But actually I get a lot more than this - I get a whole bunch of > ipfw: 600 Accept TCP 66.77.88.99:1000 12.34.56.78:22 in via rl0 > and > ipfw: 600 Accept TCP 12.34.56.78:22 66.77.88.99:1000 out via rl0 > also in my log file. Indeed, as the ssh conenction continues, I > get more and more of these, filling up my log file, and really > telling me nothing new (especially since entries in the log file > are not dated). You probably want to use the 'setup' keyword to capture the initial connection. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000725191832.H17222>