From owner-freebsd-security  Sun May  5 18:04:15 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id SAA23429
          for security-outgoing; Sun, 5 May 1996 18:04:15 -0700 (PDT)
Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id SAA23276
          for <security@freebsd.org>; Sun, 5 May 1996 18:02:46 -0700 (PDT)
Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id UAA02446; Sun, 5 May 1996 20:02:22 -0500 (CDT)
Date: Sun, 5 May 1996 20:02:22 -0500 (CDT)
Message-Id: <199605060102.UAA02446@zen.nash.org>
From: Alex Nash <alex@zen.nash.org>
To: security@freebsd.org
Subject: ipfw logging in /etc/security
Reply-to: nash@mcs.com
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I've added a couple of lines (ok, really I stole them from the setuid
diff section) to my /etc/security that show changes in ipfw denied
packet counts.  Perhaps if someone who has commit privileges thinks
this is worthwhile it could be added into the standard distribution.
[ Added lines are at end of message ]

An example /etc/security mail may look like:

   checking setuid files and devices:
   
   
   checking for uids of 0:
   root 0
   
   
   denied packets:
   > 5700     4   176 deny tcp from any to 163.49.131.129 137-139


I can think of one point of contention: The output is generated via
diff, but I'm stripping out everything but the current values.  Do we
want to compare them side by side to the packet/byte counts from the
previous day?

On a side note, ipfw does not allow resetting of individual packet
counters.  Would a modification to ipfw that allowed syntax like:

   ipfw zero 5700

or

   ipfw zero deny tcp from any to 163.49.131.129 137-139

be desirable?  I am willing to submit the changes if there is backing
for this.

Alex

(This was tested under 2.1-STABLE, but I think the output of RELEASE is
similar enough that it should work there too.)

# show denied packets
ipfw -a l | grep deny > $TMP
if cmp $LOG/ipfw.today $TMP >/dev/null; then :; else
        echo ""
        echo ""
        echo "denied packets:"
        diff -b $LOG/ipfw.today $TMP | egrep "^>"
        mv $LOG/ipfw.today $LOG/ipfw.yesterday
        mv $TMP $LOG/ipfw.today
fi
rm -f $TMP