From owner-freebsd-questions@FreeBSD.ORG Sat Apr 17 03:25:35 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4B7E16A4CF for ; Sat, 17 Apr 2004 03:25:35 -0700 (PDT) Received: from home.mnet.bg (home.mnet.bg [193.110.223.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BB2943D46 for ; Sat, 17 Apr 2004 03:25:34 -0700 (PDT) (envelope-from dpenev@mnet.bg) Received: from localhost (home [127.0.0.1]) by home.mnet.bg (Postfix) with ESMTP id 4834C3B308; Sat, 17 Apr 2004 13:25:31 +0300 (EEST) Received: from venus.dpsca.bg (ip220-81.mnet.bg [193.110.220.81]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by home.mnet.bg (Postfix) with ESMTP id 228833B2FE; Sat, 17 Apr 2004 13:25:30 +0300 (EEST) Received: from earth.dpsca.bg (earth.dpsca.bg [192.168.1.1]) by venus.dpsca.bg (8.12.9/8.12.9) with ESMTP id i3HAPlDq014819; Sat, 17 Apr 2004 13:25:47 +0300 (EEST) Received: (from dpenev@localhost) by earth.dpsca.bg (8.12.11/8.12.11/Submit) id i3HAQAOB029486; Sat, 17 Apr 2004 13:26:10 +0300 (EEST) (envelope-from dpenev) Date: Sat, 17 Apr 2004 13:26:10 +0300 From: Dancho Penev To: Ben Beuchler Message-ID: <20040417102610.GA1040@earth.dpsca.bg> Mail-Followup-To: Ben Beuchler , freebsd-questions@FreeBSD.ORG References: <20040416175131.GA31191@emt-p.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline In-Reply-To: <20040416175131.GA31191@emt-p.org> User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: by amavisd-new-20030616-p9 (Debian GNU/Linux) at mail.mnet.bg cc: freebsd-questions@FreeBSD.ORG Subject: Re: Identifying traffic logged by ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Apr 2004 10:25:36 -0000 --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 16, 2004 at 12:51:31PM -0500, Ben Beuchler wrote: >Date: Fri, 16 Apr 2004 12:51:31 -0500 >From: Ben Beuchler >To: freebsd-questions@freebsd.org >Subject: Identifying traffic logged by ipfw > >I'm working on a new bridging firewall using ipfw on FBSD 5.1. The goal >is to default to closed with a few exceptions. To test my ruleset, I end >with this rule: > >add 420 allow log ip from any to any > >The idea is that by watching the logs I could see what protocols I forgot >to create rules for. This is what I'm getting in the logs: > >Apr 16 16:43:40 bfw kernel: ipfw: 420 Accept MAC in via em2 > >I'm guessing this means it's matching non-ip traffic, but I couldn't find >any info to confirm this. Is there any sort of trick I could use to log >the entire packet? Since nothing about the source or destination was >logged, I don't have enough info to create a tcpdump filter. Perhaps some >sort of divert rule? I don't now about FreeBSD 5.1, but on -CURRENT I use follow patch for /sys/netinet/ip_fw2.c : --- ip_fw2.c.orig Fri Dec 26 15:21:46 2003 +++ ip_fw2.c Sun Jan 25 22:45:45 2004 @@ -577,6 +577,16 @@ =20 if (hlen =3D=3D 0) { /* non-ip */ snprintf(SNPARGS(proto, 0), "MAC"); + if (eh !=3D NULL) + snprintf(SNPARGS(proto, 3), + " %02x:%02x:%02x:%02x:%02x:%02x %02x:%02x:%02x:%02x:%02x:%02x 0x%04x", + eh->ether_dhost[0], eh->ether_dhost[1], + eh->ether_dhost[2], eh->ether_dhost[3], + eh->ether_dhost[4], eh->ether_dhost[5], + eh->ether_shost[0], eh->ether_shost[1], + eh->ether_shost[2], eh->ether_shost[3], + eh->ether_shost[4], eh->ether_shost[5], + ntohs(eh->ether_type)); } else { struct ip *ip =3D mtod(m, struct ip *); /* these three are all aliases to the same thing */ > >Thanks! > >-Ben > >--=20 >Ben Beuchler There is no spoon. >insyte@emt-p.org -- The Matrix >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or= g" > --=20 Dancho Penev GnuGP public key: http://www.mnet.bg/~dpenev/gnupg.key Key fingerprint: E88D 8B7B 3EF6 E9C8 C5D2 7554 2AA8 C347 71A1 4277 --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAgQZCKqjDR3GhQncRAgTcAJ4yfcIhy4VblUH261QERHdKIkieZwCguZze T4a7Ek0ieQfm6jl3t+hpmrw= =jA77 -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z--