From owner-freebsd-security Thu Dec 14 12:16:13 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 12:16:11 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 7A7F837B400 for ; Thu, 14 Dec 2000 12:16:10 -0800 (PST) Received: (qmail 28600 invoked by uid 0); 14 Dec 2000 20:16:08 -0000 Received: from p3ee2161f.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.31) by mail.gmx.net (mail06) with SMTP; 14 Dec 2000 20:16:08 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA09885 for freebsd-security@freebsd.org; Thu, 14 Dec 2000 20:58:54 +0100 Date: Thu, 14 Dec 2000 20:58:54 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: Extended ipfw Logging Message-ID: <20001214205854.J253@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20001214003219.K96105@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001214003219.K96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Thu, Dec 14, 2000 at 12:32:19AM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 14, 2000 at 00:32 -0800, Crist J. Clark wrote: > > INTRODUCTION > > I wanted to add some detail to the ipfw logging. Specificially, > I wanted TCP flags. However, once I started coding, I decided > why not toss just about every field of interest in. I have > attached patches. > > > WHAT THE PATCHES DO > > There are new fields for all packets. Data from the IP header, > the IP ID, TTL, and extra fragmentation information is printed > for all types of datagrams. TCP packets include additional > information on sequence number, acknowledgement number, and > flags. Why not have the "verbosity" written in the matching rule? One surely doesn't want to bloat *all* logged entries (not even log all denials, and maybe log some accepted packets too). Expand the filter description for the log verbosity level and reference this field when the match is meant to log something. I'm not saying that ipf(4) is the cure for everything. But looking at "man 5 ipf" here's what I really like about it and you might, too: log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . Although the above "loglevel" is different from your verbosity idea (it's a syslog facility.level pair) you might want to have the best of both worlds in ipfw(4) and code syslog levels as well as your verbosity controlling what packet characteristics to print out and where to do so? :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message