From owner-freebsd-questions Fri Jul 7 21:43:37 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mostgraveconcern.com (mostgraveconcern.com [216.82.145.240]) by hub.freebsd.org (Postfix) with ESMTP id EDC4E37B8C5 for ; Fri, 7 Jul 2000 21:43:28 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Received: from danco (danco.mostgraveconcern.com [10.0.0.2]) by mostgraveconcern.com (8.9.3/8.9.3) with SMTP id VAA13838; Fri, 7 Jul 2000 21:43:20 -0700 (PDT) (envelope-from dan@mostgraveconcern.com) Message-ID: <014e01bfe897$0aa73820$0200000a@danco> Reply-To: "Dan O'Connor" From: "Dan O'Connor" To: "Brian D. Moffet" , Subject: Re: ipfw Date: Fri, 7 Jul 2000 21:43:19 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="x-user-defined" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >How do I configure ipfw to log all connections to a NIC on my machine? >So I want to log the connections from the outside NIC to my machine. > >I don't want all packets, just the connections. I have The best way I know is to create logging 'setup' rules for all TCP services that you want to monitor and tell IPFW to log them. For example, if you want to log all connections to your web server from the outside world and log secure shell connections from both the outside world and from your inside network, you would add rules like this (in /etc/rc.firewall): ${fwcmd} add pass tcp from any to any established ${fwcmd} add pass log tcp from any to any 80 in via ${oif} setup ${fwcmd} add pass log tcp from any to ${onet}:${omask} 22 in via ${oif} setup ${fwcmd} add pass log tcp from any to ${inet}:${imask} 22 in via ${iif} setup The 'setup' filters on the ACK bit not being set (only the first packet of a TCP connection). The first rule allows already setup connections (ACK bit set) to proceed with a minimum of overhead. Note that this method only works for TCP connections, not UDP or ICMP since these do not use an ACK bit. You either have to log all packets or none... >options IPFIREWALL #firewall >options IPFIREWALL_VERBOSE #print information about > # dropped packets >options IPFIREWALL_FORWARD #enable transparent proxy support >options "IPFIREWALL_VERBOSE_LIMIT=10" #limit verbosity >options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default >options IPDIVERT #divert sockets I'd comment out the IPFIREWALL_VERBOSE_LIMIT or set it to something much higher, or you're only going to see the first 10 log entries for each rule you have logging turned on. I'd also recommend not using the IPFIREWALL_DEFAULT_TO_ACCEPT option, and take the time to set up the simple section of /etc/rc.firewall to allow only the services you want... Hope this helps, --Dan -- Dan O'Connor On Matters of Most Grave Concern http://www.mostgraveconcern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message